Summary: | <net-misc/curl-7.42.0: Multiple vulnerabilities (CVE-2015-{3143,3144,3145,3148}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | blueness, gregkh |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2015-04-22 08:14:09 UTC
curl-7.42.0 is in the tree and ready for rapid stabilization: KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Stable for PPC64. Stable for HPPA. amd64 stable x86 stable stable on ppc CVE-2015-3148 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3148): cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request. CVE-2015-3145 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3145): The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character. CVE-2015-3144 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3144): The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80." CVE-2015-3143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3143): cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015. stable for arm alpha stable ia64 stable sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. (In reply to Agostino Sarubbo from comment #11) > sparc stable. > > Maintainer(s), please cleanup. > Security, please add it to the existing request, or file a new one. There is a new security release with 7.42.1. (In reply to Anthony Basile from comment #12) > (In reply to Agostino Sarubbo from comment #11) > > sparc stable. > > > > Maintainer(s), please cleanup. > > Security, please add it to the existing request, or file a new one. > > There is a new security release with 7.42.1. Please use a new bug for this if you want security tracking it. I saw the announcement and it seems limited in scope due to the usecase affected (header information leakage to proxy server if application does not set appropriately restrictive options), specifically: "If the application sets a custom HTTP header with sensitive content (e.g., authentication cookies) without changing the default, the proxy, and anyone who listens to the traffic between the application and the proxy, might get access to those values. Note: this problem doesn't exist when using the `CURLOPT_COOKIE` option (or the '--cookie' option) or the HTTP auth options, which are always sent only to the destination server. " GLSA Vote: Yes, Note: additional related bugs; bug 548130 and bug 528840 Vote: Yes New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s). Maintainer(s), Thank you for you for cleanup. This issue was resolved and addressed in GLSA 201509-02 at https://security.gentoo.org/glsa/201509-02 by GLSA coordinator Kristian Fiskerstrand (K_F). |