Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 573102 (CVE-2016-0755) - <net-misc/curl-7.47.1: NTLM credentials not-checked for proxy connection re-use (CVE-2016-0755)
Summary: <net-misc/curl-7.47.1: NTLM credentials not-checked for proxy connection re-u...
Status: RESOLVED FIXED
Alias: CVE-2016-0755
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-27 11:21 UTC by Agostino Sarubbo
Modified: 2017-01-19 19:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-01-27 11:21:15 UTC
From ${URL} :

A vulnerability was found in a way libcurl uses NTLM-authenticated proxy connections.
Libcurl will reuse NTLM-authenticated proxy connections without properly making sure,
that the connection was authenticated with the same credentials as set for this transfer.

Upstream bug report:

http://curl.haxx.se/docs/adv_20160127A.html

Upstream patch:

http://curl.haxx.se/CVE-2016-0755.patch


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-01-27 11:32:01 UTC
This issue is fixed in 7.47.0 release: o NTLM: do not resuse proxy connections without diff proxy credentials [34]
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-07-01 05:29:33 UTC
CVE-2016-0755 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0755):
  The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not
  properly re-use NTLM-authenticated proxy connections, which might allow
  remote attackers to authenticate as other users via a request, a similar
  issue to CVE-2014-0015.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-01 05:31:08 UTC
Added to existing GLSA.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:26:43 UTC
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:31:33 UTC
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).