{"id": "ASA-201611-4", "type": "archlinux", "bulletinFamily": "unix", "title": "[ASA-201611-4] lib32-curl: multiple issues", "description": "Arch Linux Security Advisory ASA-201611-4\n=========================================\n\nSeverity: High\nDate : 2016-11-02\nCVE-ID : CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618\nCVE-2016-8619 CVE-2016-8621 CVE-2016-8623 CVE-2016-8624\nCVE-2016-8625\nPackage : lib32-curl\nType : multiple issues\nRemote : Yes\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package lib32-curl before version 7.51.0-1 is vulnerable to\nmultiple issues including arbitrary code execution, content spoofing,\ninformation disclosure, insufficient validation and authentication\nbypass.\n\nResolution\n==========\n\nUpgrade to 7.51.0-1.\n\n# pacman -Syu \"lib32-curl>=7.51.0-1\"\n\nThe problems have been fixed upstream in version 7.51.0.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2016-8615 (content spoofing)\n\nIf cookie state is written into a cookie jar file that is later read\nback and used for subsequent requests, a malicious HTTP server can\ninject new cookies for arbitrary domains into said cookie jar.\n\nThe issue pertains to the function that loads cookies into memory,\nwhich reads the specified file into a fixed-size buffer in a line-by-\nline manner using the fgets() function. If an invocation of fgets()\ncannot read the whole line into the destination buffer due to it being\ntoo small, it truncates the output. This way, a very long cookie (name\n+ value) sent by a malicious server would be stored in the file and\nsubsequently that cookie could be read partially and crafted correctly,\nit could be treated as a different cookie for another server.\n\n- CVE-2016-8616 (authentication bypass)\n\nWhen re-using a connection, curl was doing case insensitive comparisons\nof user name and password with the existing connections.\n\nThis means that if an unused connection with proper credentials exists\nfor a protocol that has connection-scoped credentials, an attacker can\ncause that connection to be reused if s/he knows the case-insensitive\nversion of the correct password.\n\n- CVE-2016-8617 (arbitrary code execution)\n\nIn libcurl's base64 encode function, the output buffer is allocated as\nfollows without any checks on insize:\n\nmalloc( insize * 4 / 3 + 4 )\nOn systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the\nmultiplication in the expression wraps around if insize is at least 1GB\nof data. If this happens, an undersized output buffer will be\nallocated, but the full result will be written, thus causing the memory\nbehind the output buffer to be overwritten.\n\nIf a username is set directly via CURLOPT_USERNAME (or curl's -u,\n--user option), this vulnerability can be triggered. The name has to be\nat least 512MB big in a 32bit system.\n\nSystems with 64 bit versions of the size_t type are not affected by\nthis issue.\n\n- CVE-2016-8618 (arbitrary code execution)\n\nThe libcurl API function called curl_maprintf() can be tricked into\ndoing a double-free due to an unsafe size_t multiplication, on systems\nusing 32 bit size_t variables. The function is also used internally in\nnumerous situations.\n\nThe function doubles an allocated memory area with realloc() and allows\nthe size to wrap and become zero and when doing so realloc() returns\nNULL and frees the memory - in contrary to normal realloc() fails where\nit only returns NULL - causing libcurl to free the memory again in the\nerror path.\n\nThis behavior is triggerable using the publicly exposed function.\nSystems with 64 bit versions of the size_t type are not affected by\nthis issue.\n\n- CVE-2016-8619 (arbitrary code execution)\n\nIn curl's implementation of the Kerberos authentication mechanism, the\nfunction read_data() in security.c is used to fill the necessary krb5\nstructures. When reading one of the length fields from the socket, it\nfails to ensure that the length parameter passed to realloc() is not\nset to 0.\n\nThis would lead to realloc() getting called with a zero size and when\ndoing so realloc() returns NULL and frees the memory - in contrary to\nnormal realloc() fails where it only returns NULL - causing libcurl to\nfree the memory again in the error path.\n\nThis flaw could be triggered by a malicious or just otherwise ill-\nbehaving server.\n\n- CVE-2016-8621 (information disclosure)\n\nThe curl_getdate converts a given date string into a numerical\ntimestamp and it supports a range of different formats and possibilites\nto express a date and time. The underlying date parsing function is\nalso used internally when parsing for example HTTP cookies (possibly\nreceived from remote servers) and it can be used when doing conditional\nHTTP requests.\n\nThe date parser function uses the libc sscanf() function at two places,\nwith the parsing strings \"%02d:%02d\" and \"\"%02d:%02d:%02d\". The intent\nbeing that it would parse either a string with HH:MM (two digits colon\ntwo digits) or HH:MM:SS (two digits colon two digits colon two digits).\nIf instead the piece of time that was sent in had the final digit cut\noff, thus ending with a single-digit, the date parser code would\nadvance its read pointer one byte too much and end up reading out of\nbounds.\n\n- CVE-2016-8623 (arbitrary code execution)\n\nlibcurl explicitly allows users to share cookies between multiple easy\nhandles that are concurrently employed by different threads.\nWhen cookies to be sent to a server are collected, the matching\nfunction collects all cookies to send and the cookie lock is released\nimmediately afterwards. That function however only returns a list with\nreferences back to the original strings for name, value, path and so\non. Therefore, if another thread quickly takes the lock and frees one\nof the original cookie structs together with its strings, a use-after-\nfree can occur possibly leading to arbitrary code execution. Another\nthread can also replace the contents of the cookies from separate HTTP\nresponses or API calls.\n\n- CVE-2016-8624 (insufficient validation)\n\ncurl doesn't parse the authority component of the URL correctly when\nthe host name part ends with a '#' character, and could instead be\ntricked into connecting to a different host. This may have security\nimplications if you for example use a URL parser that follows the RFC\nto check for allowed domains before using curl to request them.\n\nPassing in http://example.com#@evil.com/x.txt would wrongly make curl\nsend a request to evil.com while your browser would connect to\nexample.com given the same URL.\n\nThe problem exists for most protocol schemes.\n\n- CVE-2016-8625 (insufficient validation)\n\nWhen curl is built with libidn to handle International Domain Names\n(IDNA), it translates them to puny code for DNS resolving using the\nIDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA\nstandard. This misalignment causes problems with for example domains\nusing the German \u00df character (known as the Unicode Character 'LATIN\nSMALL LETTER SHARP S') which is used at times in the .de TLD and is\ntranslated differently in the two IDNA standards, leading to users\npotentially and unknowingly issuing network transfer requests to the\nwrong host.\n\nFor example, stra\u00dfe.de is translated into strasse.de using IDNA 2003\nbut is translated into xn--strae-oqa.de using IDNA 2008. Needless to\nsay, those host names could very well resolve to different addresses\nand be two completely independent servers. IDNA 2008 is mandatory for\n.de domains.\n\nThis name problem exists for DNS-using protocols in curl, but only when\nbuilt to use libidn.\n\nImpact\n======\n\nA remote attacker is able to execute arbitrary code, inject cookies for\narbitrary domains and disclose sensitive information via various vectors.\n\nReferences\n==========\n\nhttps://curl.haxx.se/changes.html#7_51_0\nhttps://curl.haxx.se/docs/adv_20161102A.html\nhttps://curl.haxx.se/docs/adv_20161102B.html\nhttps://curl.haxx.se/docs/adv_20161102C.html\nhttps://curl.haxx.se/docs/adv_20161102D.html\nhttps://curl.haxx.se/docs/adv_20161102E.html\nhttps://curl.haxx.se/docs/adv_20161102G.html\nhttps://curl.haxx.se/docs/adv_20161102I.html\nhttps://curl.haxx.se/docs/adv_20161102J.html\nhttps://curl.haxx.se/docs/adv_20161102K.html\nhttps://access.redhat.com/security/cve/CVE-2016-8615\nhttps://access.redhat.com/security/cve/CVE-2016-8616\nhttps://access.redhat.com/security/cve/CVE-2016-8617\nhttps://access.redhat.com/security/cve/CVE-2016-8618\nhttps://access.redhat.com/security/cve/CVE-2016-8619\nhttps://access.redhat.com/security/cve/CVE-2016-8621\nhttps://access.redhat.com/security/cve/CVE-2016-8623\nhttps://access.redhat.com/security/cve/CVE-2016-8624\nhttps://access.redhat.com/security/cve/CVE-2016-8625", "published": "2016-11-02T00:00:00", "modified": "2016-11-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://security.archlinux.org/ASA-201611-4", "reporter": "ArchLinux", "references": ["https://wiki.archlinux.org/index.php/CVE", "http://example.com#@evil.com/x.txt", "http://evil.com", "http://example.com", "https://curl.haxx.se/changes.html#7_51_0", "https://curl.haxx.se/docs/adv_20161102A.html", "https://curl.haxx.se/docs/adv_20161102B.html", "https://curl.haxx.se/docs/adv_20161102C.html", "https://curl.haxx.se/docs/adv_20161102D.html", "https://curl.haxx.se/docs/adv_20161102E.html", "https://curl.haxx.se/docs/adv_20161102G.html", "https://curl.haxx.se/docs/adv_20161102I.html", "https://curl.haxx.se/docs/adv_20161102J.html", "https://curl.haxx.se/docs/adv_20161102K.html", "https://access.redhat.com/security/cve/CVE-2016-8615", "https://access.redhat.com/security/cve/CVE-2016-8616", "https://access.redhat.com/security/cve/CVE-2016-8617", "https://access.redhat.com/security/cve/CVE-2016-8618", "https://access.redhat.com/security/cve/CVE-2016-8619", "https://access.redhat.com/security/cve/CVE-2016-8621", "https://access.redhat.com/security/cve/CVE-2016-8623", "https://access.redhat.com/security/cve/CVE-2016-8624", "https://access.redhat.com/security/cve/CVE-2016-8625"], "cvelist": ["CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8617", "CVE-2016-8618", "CVE-2016-8619", "CVE-2016-8621", "CVE-2016-8623", "CVE-2016-8624", "CVE-2016-8625"], "lastseen": "2020-09-22T18:36:44", "viewCount": 468, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2020-09-22T18:36:44", "rev": 2}, "dependencies": {"references": [{"type": "archlinux", "idList": ["ASA-201611-8", "ASA-201611-10", "ASA-201611-9", "ASA-201611-5", "ASA-201611-7"]}, {"type": "nessus", "idList": ["ALA_ALAS-2016-766.NASL", "FREEBSD_PKG_765FEB7DA0D111E6A881B499BAEBFEAF.NASL", "EULEROS_SA-2017-1035.NASL", "EULEROS_SA-2017-1036.NASL", "SLACKWARE_SSA_2016-308-01.NASL", "DEBIAN_DLA-711.NASL", "ORACLEVM_OVMSA-2020-0035.NASL", "FEDORA_2016-89769648A0.NASL", "ORACLELINUX_ELSA-2019-4652.NASL", "DEBIAN_DSA-3705.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DLA-711-1:02E2B", "DEBIAN:DSA-3705-1:8640E"]}, {"type": "slackware", "idList": ["SSA-2016-308-01"]}, {"type": "freebsd", "idList": ["765FEB7D-A0D1-11E6-A881-B499BAEBFEAF"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-3916", "ELSA-2019-1880", "ELSA-2020-1020", "ELSA-2019-2181", "ELSA-2020-5002", "ELSA-2019-4652"]}, {"type": "fedora", "idList": ["FEDORA:C38F16060C6A", "FEDORA:40D1C6051CE4"]}, {"type": "amazon", "idList": ["ALAS-2016-766"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220171035", "OPENVAS:1361412562311220191549", "OPENVAS:1361412562310872080", "OPENVAS:1361412562311220171036", "OPENVAS:1361412562310851432", "OPENVAS:1361412562310703705", "OPENVAS:1361412562310842943", "OPENVAS:1361412562310810155", "OPENVAS:703705", "OPENVAS:1361412562310811270"]}, {"type": "suse", "idList": ["SUSE-SU-2016:2714-1", "SUSE-SU-2016:2700-1", "OPENSUSE-SU-2016:2768-1", "SUSE-SU-2016:2699-1"]}, {"type": "cve", "idList": ["CVE-2016-8621", "CVE-2016-8619", "CVE-2016-8625", "CVE-2016-8616", "CVE-2016-8615", "CVE-2016-8624", "CVE-2016-8618", "CVE-2016-8623", "CVE-2016-8617"]}, {"type": "ubuntu", "idList": ["USN-3123-1"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:7D5FB6CA51F09BC6516D6E547D7F4E42"]}, {"type": "f5", "idList": ["F5:K17742627", "F5:K84940705", "F5:K01006862", "F5:K26899353", "F5:K85235351", "F5:K44503763", "F5:K52828640", "F5:K46123931", "F5:K10196624"]}, {"type": "hackerone", "idList": ["H1:180434"]}, {"type": "myhack58", "idList": ["MYHACK58:62201681821"]}, {"type": "gentoo", "idList": ["GLSA-201701-47"]}, {"type": "redhat", "idList": ["RHSA-2018:3558", "RHSA-2018:2486"]}, {"type": "apple", "idList": ["APPLE:HT207423"]}], "modified": "2020-09-22T18:36:44", "rev": 2}, "vulnersScore": 7.5}, "affectedPackage": [{"OS": "ArchLinux", "OSVersion": "any", "arch": "any", "packageName": "lib32-curl", "packageVersion": "7.51.0-1", "packageFilename": "UNKNOWN", "operator": "lt"}]}

{"archlinux": [{"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8617", "CVE-2016-8618", "CVE-2016-8619", "CVE-2016-8621", "CVE-2016-8623", "CVE-2016-8624", "CVE-2016-8625"], "description": "Arch Linux Security Advisory ASA-201611-10\n==========================================\n\nSeverity: High\nDate : 2016-11-03\nCVE-ID : CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618\nCVE-2016-8619 CVE-2016-8621 CVE-2016-8623 CVE-2016-8624\nCVE-2016-8625\nPackage : lib32-libcurl-gnutls\nType : multiple issues\nRemote : Yes\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package lib32-libcurl-gnutls before version 7.51.0-1 is vulnerable\nto multiple issues including arbitrary code execution, content\nspoofing, information disclosure, insufficient validation and\nauthentication bypass.\n\nResolution\n==========\n\nUpgrade to 7.51.0-1.\n\n# pacman -Syu \"lib32-libcurl-gnutls>=7.51.0-1\"\n\nThe problems have been fixed upstream in version 7.51.0.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2016-8615 (content spoofing)\n\nIf cookie state is written into a cookie jar file that is later read\nback and used for subsequent requests, a malicious HTTP server can\ninject new cookies for arbitrary domains into said cookie jar.\n\nThe issue pertains to the function that loads cookies into memory,\nwhich reads the specified file into a fixed-size buffer in a line-by-\nline manner using the fgets() function. If an invocation of fgets()\ncannot read the whole line into the destination buffer due to it being\ntoo small, it truncates the output. This way, a very long cookie (name\n+ value) sent by a malicious server would be stored in the file and\nsubsequently that cookie could be read partially and crafted correctly,\nit could be treated as a different cookie for another server.\n\n- CVE-2016-8616 (authentication bypass)\n\nWhen re-using a connection, curl was doing case insensitive comparisons\nof user name and password with the existing connections.\n\nThis means that if an unused connection with proper credentials exists\nfor a protocol that has connection-scoped credentials, an attacker can\ncause that connection to be reused if s/he knows the case-insensitive\nversion of the correct password.\n\n- CVE-2016-8617 (arbitrary code execution)\n\nIn libcurl's base64 encode function, the output buffer is allocated as\nfollows without any checks on insize:\n\nmalloc( insize * 4 / 3 + 4 )\nOn systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the\nmultiplication in the expression wraps around if insize is at least 1GB\nof data. If this happens, an undersized output buffer will be\nallocated, but the full result will be written, thus causing the memory\nbehind the output buffer to be overwritten.\n\nIf a username is set directly via CURLOPT_USERNAME (or curl's -u,\n--user option), this vulnerability can be triggered. The name has to be\nat least 512MB big in a 32bit system.\n\nSystems with 64 bit versions of the size_t type are not affected by\nthis issue.\n\n- CVE-2016-8618 (arbitrary code execution)\n\nThe libcurl API function called curl_maprintf() can be tricked into\ndoing a double-free due to an unsafe size_t multiplication, on systems\nusing 32 bit size_t variables. The function is also used internally in\nnumerous situations.\n\nThe function doubles an allocated memory area with realloc() and allows\nthe size to wrap and become zero and when doing so realloc() returns\nNULL and frees the memory - in contrary to normal realloc() fails where\nit only returns NULL - causing libcurl to free the memory again in the\nerror path.\n\nThis behavior is triggerable using the publicly exposed function.\nSystems with 64 bit versions of the size_t type are not affected by\nthis issue.\n\n- CVE-2016-8619 (arbitrary code execution)\n\nIn curl's implementation of the Kerberos authentication mechanism, the\nfunction read_data() in security.c is used to fill the necessary krb5\nstructures. When reading one of the length fields from the socket, it\nfails to ensure that the length parameter passed to realloc() is not\nset to 0.\n\nThis would lead to realloc() getting called with a zero size and when\ndoing so realloc() returns NULL and frees the memory - in contrary to\nnormal realloc() fails where it only returns NULL - causing libcurl to\nfree the memory again in the error path.\n\nThis flaw could be triggered by a malicious or just otherwise ill-\nbehaving server.\n\n- CVE-2016-8621 (information disclosure)\n\nThe curl_getdate converts a given date string into a numerical\ntimestamp and it supports a range of different formats and possibilites\nto express a date and time. The underlying date parsing function is\nalso used internally when parsing for example HTTP cookies (possibly\nreceived from remote servers) and it can be used when doing conditional\nHTTP requests.\n\nThe date parser function uses the libc sscanf() function at two places,\nwith the parsing strings \"%02d:%02d\" and \"\"%02d:%02d:%02d\". The intent\nbeing that it would parse either a string with HH:MM (two digits colon\ntwo digits) or HH:MM:SS (two digits colon two digits colon two digits).\nIf instead the piece of time that was sent in had the final digit cut\noff, thus ending with a single-digit, the date parser code would\nadvance its read pointer one byte too much and end up reading out of\nbounds.\n\n- CVE-2016-8623 (arbitrary code execution)\n\nlibcurl explicitly allows users to share cookies between multiple easy\nhandles that are concurrently employed by different threads.\nWhen cookies to be sent to a server are collected, the matching\nfunction collects all cookies to send and the cookie lock is released\nimmediately afterwards. That function however only returns a list with\nreferences back to the original strings for name, value, path and so\non. Therefore, if another thread quickly takes the lock and frees one\nof the original cookie structs together with its strings, a use-after-\nfree can occur possibly leading to arbitrary code execution. Another\nthread can also replace the contents of the cookies from separate HTTP\nresponses or API calls.\n\n- CVE-2016-8624 (insufficient validation)\n\ncurl doesn't parse the authority component of the URL correctly when\nthe host name part ends with a '#' character, and could instead be\ntricked into connecting to a different host. This may have security\nimplications if you for example use a URL parser that follows the RFC\nto check for allowed domains before using curl to request them.\n\nPassing in http://example.com#@evil.com/x.txt would wrongly make curl\nsend a request to evil.com while your browser would connect to\nexample.com given the same URL.\n\nThe problem exists for most protocol schemes.\n\n- CVE-2016-8625 (insufficient validation)\n\nWhen curl is built with libidn to handle International Domain Names\n(IDNA), it translates them to puny code for DNS resolving using the\nIDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA\nstandard. This misalignment causes problems with for example domains\nusing the German \u00df character (known as the Unicode Character 'LATIN\nSMALL LETTER SHARP S') which is used at times in the .de TLD and is\ntranslated differently in the two IDNA standards, leading to users\npotentially and unknowingly issuing network transfer requests to the\nwrong host.\n\nFor example, stra\u00dfe.de is translated into strasse.de using IDNA 2003\nbut is translated into xn--strae-oqa.de using IDNA 2008. Needless to\nsay, those host names could very well resolve to different addresses\nand be two completely independent servers. IDNA 2008 is mandatory for\n.de domains.\n\nThis name problem exists for DNS-using protocols in curl, but only when\nbuilt to use libidn.\n\nImpact\n======\n\nA remote attacker is able to execute arbitrary code, inject cookies for\narbitrary domains and disclose sensitive information via various\nvectors.\n\nReferences\n==========\n\nhttps://curl.haxx.se/changes.html#7_51_0\nhttps://curl.haxx.se/docs/adv_20161102A.html\nhttps://curl.haxx.se/docs/adv_20161102B.html\nhttps://curl.haxx.se/docs/adv_20161102C.html\nhttps://curl.haxx.se/docs/adv_20161102D.html\nhttps://curl.haxx.se/docs/adv_20161102E.html\nhttps://curl.haxx.se/docs/adv_20161102G.html\nhttps://curl.haxx.se/docs/adv_20161102I.html\nhttps://curl.haxx.se/docs/adv_20161102J.html\nhttps://curl.haxx.se/docs/adv_20161102K.html\nhttps://access.redhat.com/security/cve/CVE-2016-8615\nhttps://access.redhat.com/security/cve/CVE-2016-8616\nhttps://access.redhat.com/security/cve/CVE-2016-8617\nhttps://access.redhat.com/security/cve/CVE-2016-8618\nhttps://access.redhat.com/security/cve/CVE-2016-8619\nhttps://access.redhat.com/security/cve/CVE-2016-8621\nhttps://access.redhat.com/security/cve/CVE-2016-8623\nhttps://access.redhat.com/security/cve/CVE-2016-8624\nhttps://access.redhat.com/security/cve/CVE-2016-8625", "modified": "2016-11-03T00:00:00", "published": "2016-11-03T00:00:00", "id": "ASA-201611-10", "href": "https://security.archlinux.org/ASA-201611-10", "type": "archlinux", "title": "[ASA-201611-10] lib32-libcurl-gnutls: multiple issues", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8617", "CVE-2016-8618", "CVE-2016-8619", "CVE-2016-8621", "CVE-2016-8623", "CVE-2016-8624", "CVE-2016-8625"], "description": "Arch Linux Security Advisory ASA-201611-5\n=========================================\n\nSeverity: High\nDate : 2016-11-02\nCVE-ID : CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618\nCVE-2016-8619 CVE-2016-8621 CVE-2016-8623 CVE-2016-8624\nCVE-2016-8625\nPackage : lib32-libcurl-compat\nType : multiple issues\nRemote : Yes\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package lib32-libcurl-compat before version 7.51.0-1 is vulnerable\nto multiple issues including arbitrary code execution, content\nspoofing, information disclosure, insufficient validation and\nauthentication bypass.\n\nResolution\n==========\n\nUpgrade to 7.51.0-1.\n\n# pacman -Syu \"lib32-libcurl-compat>=7.51.0-1\"\n\nThe problems have been fixed upstream in version 7.51.0.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2016-8615 (content spoofing)\n\nIf cookie state is written into a cookie jar file that is later read\nback and used for subsequent requests, a malicious HTTP server can\ninject new cookies for arbitrary domains into said cookie jar.\n\nThe issue pertains to the function that loads cookies into memory,\nwhich reads the specified file into a fixed-size buffer in a line-by-\nline manner using the fgets() function. If an invocation of fgets()\ncannot read the whole line into the destination buffer due to it being\ntoo small, it truncates the output. This way, a very long cookie (name\n+ value) sent by a malicious server would be stored in the file and\nsubsequently that cookie could be read partially and crafted correctly,\nit could be treated as a different cookie for another server.\n\n- CVE-2016-8616 (authentication bypass)\n\nWhen re-using a connection, curl was doing case insensitive comparisons\nof user name and password with the existing connections.\n\nThis means that if an unused connection with proper credentials exists\nfor a protocol that has connection-scoped credentials, an attacker can\ncause that connection to be reused if s/he knows the case-insensitive\nversion of the correct password.\n\n- CVE-2016-8617 (arbitrary code execution)\n\nIn libcurl's base64 encode function, the output buffer is allocated as\nfollows without any checks on insize:\n\nmalloc( insize * 4 / 3 + 4 )\nOn systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the\nmultiplication in the expression wraps around if insize is at least 1GB\nof data. If this happens, an undersized output buffer will be\nallocated, but the full result will be written, thus causing the memory\nbehind the output buffer to be overwritten.\n\nIf a username is set directly via CURLOPT_USERNAME (or curl's -u,\n--user option), this vulnerability can be triggered. The name has to be\nat least 512MB big in a 32bit system.\n\nSystems with 64 bit versions of the size_t type are not affected by\nthis issue.\n\n- CVE-2016-8618 (arbitrary code execution)\n\nThe libcurl API function called curl_maprintf() can be tricked into\ndoing a double-free due to an unsafe size_t multiplication, on systems\nusing 32 bit size_t variables. The function is also used internally in\nnumerous situations.\n\nThe function doubles an allocated memory area with realloc() and allows\nthe size to wrap and become zero and when doing so realloc() returns\nNULL and frees the memory - in contrary to normal realloc() fails where\nit only returns NULL - causing libcurl to free the memory again in the\nerror path.\n\nThis behavior is triggerable using the publicly exposed function.\nSystems with 64 bit versions of the size_t type are not affected by\nthis issue.\n\n- CVE-2016-8619 (arbitrary code execution)\n\nIn curl's implementation of the Kerberos authentication mechanism, the\nfunction read_data() in security.c is used to fill the necessary krb5\nstructures. When reading one of the length fields from the socket, it\nfails to ensure that the length parameter passed to realloc() is not\nset to 0.\n\nThis would lead to realloc() getting called with a zero size and when\ndoing so realloc() returns NULL and frees the memory - in contrary to\nnormal realloc() fails where it only returns NULL - causing libcurl to\nfree the memory again in the error path.\n\nThis flaw could be triggered by a malicious or just otherwise ill-\nbehaving server.\n\n- CVE-2016-8621 (information disclosure)\n\nThe curl_getdate converts a given date string into a numerical\ntimestamp and it supports a range of different formats and possibilites\nto express a date and time. The underlying date parsing function is\nalso used internally when parsing for example HTTP cookies (possibly\nreceived from remote servers) and it can be used when doing conditional\nHTTP requests.\n\nThe date parser function uses the libc sscanf() function at two places,\nwith the parsing strings \"%02d:%02d\" and \"\"%02d:%02d:%02d\". The intent\nbeing that it would parse either a string with HH:MM (two digits colon\ntwo digits) or HH:MM:SS (two digits colon two digits colon two digits).\nIf instead the piece of time that was sent in had the final digit cut\noff, thus ending with a single-digit, the date parser code would\nadvance its read pointer one byte too much and end up reading out of\nbounds.\n\n- CVE-2016-8623 (arbitrary code execution)\n\nlibcurl explicitly allows users to share cookies between multiple easy\nhandles that are concurrently employed by different threads.\nWhen cookies to be sent to a server are collected, the matching\nfunction collects all cookies to send and the cookie lock is released\nimmediately afterwards. That function however only returns a list with\nreferences back to the original strings for name, value, path and so\non. Therefore, if another thread quickly takes the lock and frees one\nof the original cookie structs together with its strings, a use-after-\nfree can occur possibly leading to arbitrary code execution. Another\nthread can also replace the contents of the cookies from separate HTTP\nresponses or API calls.\n\n- CVE-2016-8624 (insufficient validation)\n\ncurl doesn't parse the authority component of the URL correctly when\nthe host name part ends with a '#' character, and could instead be\ntricked into connecting to a different host. This may have security\nimplications if you for example use a URL parser that follows the RFC\nto check for allowed domains before using curl to request them.\n\nPassing in http://example.com#@evil.com/x.txt would wrongly make curl\nsend a request to evil.com while your browser would connect to\nexample.com given the same URL.\n\nThe problem exists for most protocol schemes.\n\n- CVE-2016-8625 (insufficient validation)\n\nWhen curl is built with libidn to handle International Domain Names\n(IDNA), it translates them to puny code for DNS resolving using the\nIDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA\nstandard. This misalignment causes problems with for example domains\nusing the German \u00df character (known as the Unicode Character 'LATIN\nSMALL LETTER SHARP S') which is used at times in the .de TLD and is\ntranslated differently in the two IDNA standards, leading to users\npotentially and unknowingly issuing network transfer requests to the\nwrong host.\n\nFor example, stra\u00dfe.de is translated into strasse.de using IDNA 2003\nbut is translated into xn--strae-oqa.de using IDNA 2008. Needless to\nsay, those host names could very well resolve to different addresses\nand be two completely independent servers. IDNA 2008 is mandatory for\n.de domains.\n\nThis name problem exists for DNS-using protocols in curl, but only when\nbuilt to use libidn.\n\nImpact\n======\n\nA remote attacker is able to execute arbitrary code, inject cookies for\narbitrary domains and disclose sensitive information via various\nvectors.\n\nReferences\n==========\n\nhttps://curl.haxx.se/changes.html#7_51_0\nhttps://curl.haxx.se/docs/adv_20161102A.html\nhttps://curl.haxx.se/docs/adv_20161102B.html\nhttps://curl.haxx.se/docs/adv_20161102C.html\nhttps://curl.haxx.se/docs/adv_20161102D.html\nhttps://curl.haxx.se/docs/adv_20161102E.html\nhttps://curl.haxx.se/docs/adv_20161102G.html\nhttps://curl.haxx.se/docs/adv_20161102I.html\nhttps://curl.haxx.se/docs/adv_20161102J.html\nhttps://curl.haxx.se/docs/adv_20161102K.html\nhttps://access.redhat.com/security/cve/CVE-2016-8615\nhttps://access.redhat.com/security/cve/CVE-2016-8616\nhttps://access.redhat.com/security/cve/CVE-2016-8617\nhttps://access.redhat.com/security/cve/CVE-2016-8618\nhttps://access.redhat.com/security/cve/CVE-2016-8619\nhttps://access.redhat.com/security/cve/CVE-2016-8621\nhttps://access.redhat.com/security/cve/CVE-2016-8623\nhttps://access.redhat.com/security/cve/CVE-2016-8624\nhttps://access.redhat.com/security/cve/CVE-2016-8625", "modified": "2016-11-02T00:00:00", "published": "2016-11-02T00:00:00", "id": "ASA-201611-5", "href": "https://security.archlinux.org/ASA-201611-5", "type": "archlinux", "title": "[ASA-201611-5] lib32-libcurl-compat: multiple issues", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8617", "CVE-2016-8619", "CVE-2016-8621", "CVE-2016-8622", "CVE-2016-8623", "CVE-2016-8624", "CVE-2016-8625"], "description": "Arch Linux Security Advisory ASA-201611-8\n=========================================\n\nSeverity: High\nDate : 2016-11-03\nCVE-ID : CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8619\nCVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624\nCVE-2016-8625\nPackage : libcurl-compat\nType : multiple issues\nRemote : Yes\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package libcurl-compat before version 7.51.0-1 is vulnerable to\nmultiple issues including arbitrary code execution, content spoofing,\ninformation disclosure, insufficient validation and authentication\nbypass.\n\nResolution\n==========\n\nUpgrade to 7.51.0-1.\n\n# pacman -Syu \"libcurl-compat>=7.51.0-1\"\n\nThe problems have been fixed upstream in version 7.51.0.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2016-8615 (content spoofing)\n\nIf cookie state is written into a cookie jar file that is later read\nback and used for subsequent requests, a malicious HTTP server can\ninject new cookies for arbitrary domains into said cookie jar.\n\nThe issue pertains to the function that loads cookies into memory,\nwhich reads the specified file into a fixed-size buffer in a line-by-\nline manner using the fgets() function. If an invocation of fgets()\ncannot read the whole line into the destination buffer due to it being\ntoo small, it truncates the output. This way, a very long cookie (name\n+ value) sent by a malicious server would be stored in the file and\nsubsequently that cookie could be read partially and crafted correctly,\nit could be treated as a different cookie for another server.\n\n- CVE-2016-8616 (authentication bypass)\n\nWhen re-using a connection, curl was doing case insensitive comparisons\nof user name and password with the existing connections.\n\nThis means that if an unused connection with proper credentials exists\nfor a protocol that has connection-scoped credentials, an attacker can\ncause that connection to be reused if s/he knows the case-insensitive\nversion of the correct password.\n\n- CVE-2016-8617 (arbitrary code execution)\n\nIn libcurl's base64 encode function, the output buffer is allocated as\nfollows without any checks on insize:\n\nmalloc( insize * 4 / 3 + 4 )\nOn systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the\nmultiplication in the expression wraps around if insize is at least 1GB\nof data. If this happens, an undersized output buffer will be\nallocated, but the full result will be written, thus causing the memory\nbehind the output buffer to be overwritten.\n\nIf a username is set directly via CURLOPT_USERNAME (or curl's -u,\n--user option), this vulnerability can be triggered. The name has to be\nat least 512MB big in a 32bit system.\n\nSystems with 64 bit versions of the size_t type are not affected by\nthis issue.\n\n- CVE-2016-8619 (arbitrary code execution)\n\nIn curl's implementation of the Kerberos authentication mechanism, the\nfunction read_data() in security.c is used to fill the necessary krb5\nstructures. When reading one of the length fields from the socket, it\nfails to ensure that the length parameter passed to realloc() is not\nset to 0.\n\nThis would lead to realloc() getting called with a zero size and when\ndoing so realloc() returns NULL and frees the memory - in contrary to\nnormal realloc() fails where it only returns NULL - causing libcurl to\nfree the memory again in the error path.\n\nThis flaw could be triggered by a malicious or just otherwise ill-\nbehaving server.\n\n- CVE-2016-8621 (information disclosure)\n\nThe curl_getdate converts a given date string into a numerical\ntimestamp and it supports a range of different formats and possibilites\nto express a date and time. The underlying date parsing function is\nalso used internally when parsing for example HTTP cookies (possibly\nreceived from remote servers) and it can be used when doing conditional\nHTTP requests.\n\nThe date parser function uses the libc sscanf() function at two places,\nwith the parsing strings \"%02d:%02d\" and \"\"%02d:%02d:%02d\". The intent\nbeing that it would parse either a string with HH:MM (two digits colon\ntwo digits) or HH:MM:SS (two digits colon two digits colon two digits).\nIf instead the piece of time that was sent in had the final digit cut\noff, thus ending with a single-digit, the date parser code would\nadvance its read pointer one byte too much and end up reading out of\nbounds.\n\n- CVE-2016-8622 (arbitrary code execution)\n\nThe URL percent-encoding decode function in libcurl is called\ncurl_easy_unescape. Internally, even if this function would be made to\nallocate a unscape destination buffer larger than 2GB, it would return\nthat new length in a signed 32 bit integer variable, thus the length\nwould get either just truncated or both truncated and turned negative.\nThat could then lead to libcurl writing outside of its heap based\nbuffer.\n\nThis can be triggered by a user on a 64bit system if the user can send\nin a custom (very large) URL to a libcurl using program.\n\n- CVE-2016-8623 (arbitrary code execution)\n\nlibcurl explicitly allows users to share cookies between multiple easy\nhandles that are concurrently employed by different threads.\nWhen cookies to be sent to a server are collected, the matching\nfunction collects all cookies to send and the cookie lock is released\nimmediately afterwards. That function however only returns a list with\nreferences back to the original strings for name, value, path and so\non. Therefore, if another thread quickly takes the lock and frees one\nof the original cookie structs together with its strings, a use-after-\nfree can occur possibly leading to arbitrary code execution. Another\nthread can also replace the contents of the cookies from separate HTTP\nresponses or API calls.\n\n- CVE-2016-8624 (insufficient validation)\n\ncurl doesn't parse the authority component of the URL correctly when\nthe host name part ends with a '#' character, and could instead be\ntricked into connecting to a different host. This may have security\nimplications if you for example use a URL parser that follows the RFC\nto check for allowed domains before using curl to request them.\n\nPassing in http://example.com#@evil.com/x.txt would wrongly make curl\nsend a request to evil.com while your browser would connect to\nexample.com given the same URL.\n\nThe problem exists for most protocol schemes.\n\n- CVE-2016-8625 (insufficient validation)\n\nWhen curl is built with libidn to handle International Domain Names\n(IDNA), it translates them to puny code for DNS resolving using the\nIDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA\nstandard. This misalignment causes problems with for example domains\nusing the German \u00df character (known as the Unicode Character 'LATIN\nSMALL LETTER SHARP S') which is used at times in the .de TLD and is\ntranslated differently in the two IDNA standards, leading to users\npotentially and unknowingly issuing network transfer requests to the\nwrong host.\n\nFor example, stra\u00dfe.de is translated into strasse.de using IDNA 2003\nbut is translated into xn--strae-oqa.de using IDNA 2008. Needless to\nsay, those host names could very well resolve to different addresses\nand be two completely independent servers. IDNA 2008 is mandatory for\n.de domains.\n\nThis name problem exists for DNS-using protocols in curl, but only when\nbuilt to use libidn.\n\nImpact\n======\n\nA remote attacker is able to execute arbitrary code, inject cookies for\narbitrary domains and disclose sensitive information via various\nvectors.\n\nReferences\n==========\n\nhttps://curl.haxx.se/changes.html#7_51_0\nhttps://curl.haxx.se/docs/adv_20161102A.html\nhttps://curl.haxx.se/docs/adv_20161102B.html\nhttps://curl.haxx.se/docs/adv_20161102C.html\nhttps://curl.haxx.se/docs/adv_20161102E.html\nhttps://curl.haxx.se/docs/adv_20161102G.html\nhttps://curl.haxx.se/docs/adv_20161102H.html\nhttps://curl.haxx.se/docs/adv_20161102I.html\nhttps://curl.haxx.se/docs/adv_20161102J.html\nhttps://curl.haxx.se/docs/adv_20161102K.html\nhttps://access.redhat.com/security/cve/CVE-2016-8615\nhttps://access.redhat.com/security/cve/CVE-2016-8616\nhttps://access.redhat.com/security/cve/CVE-2016-8617\nhttps://access.redhat.com/security/cve/CVE-2016-8619\nhttps://access.redhat.com/security/cve/CVE-2016-8621\nhttps://access.redhat.com/security/cve/CVE-2016-8622\nhttps://access.redhat.com/security/cve/CVE-2016-8623\nhttps://access.redhat.com/security/cve/CVE-2016-8624\nhttps://access.redhat.com/security/cve/CVE-2016-8625", "modified": "2016-11-03T00:00:00", "published": "2016-11-03T00:00:00", "id": "ASA-201611-8", "href": "https://security.archlinux.org/ASA-201611-8", "type": "archlinux", "title": "[ASA-201611-8] libcurl-compat: multiple issues", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8617", "CVE-2016-8619", "CVE-2016-8621", "CVE-2016-8622", "CVE-2016-8623", "CVE-2016-8624", "CVE-2016-8625"], "description": "Arch Linux Security Advisory ASA-201611-9\n=========================================\n\nSeverity: High\nDate : 2016-11-03\nCVE-ID : CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8619\nCVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624\nCVE-2016-8625\nPackage : libcurl-gnutls\nType : multiple issues\nRemote : Yes\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package libcurl-gnutls before version 7.51.0-1 is vulnerable to\nmultiple issues including arbitrary code execution, content spoofing,\ninformation disclosure, insufficient validation and authentication\nbypass.\n\nResolution\n==========\n\nUpgrade to 7.51.0-1.\n\n# pacman -Syu \"libcurl-gnutls>=7.51.0-1\"\n\nThe problems have been fixed upstream in version 7.51.0.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2016-8615 (content spoofing)\n\nIf cookie state is written into a cookie jar file that is later read\nback and used for subsequent requests, a malicious HTTP server can\ninject new cookies for arbitrary domains into said cookie jar.\n\nThe issue pertains to the function that loads cookies into memory,\nwhich reads the specified file into a fixed-size buffer in a line-by-\nline manner using the fgets() function. If an invocation of fgets()\ncannot read the whole line into the destination buffer due to it being\ntoo small, it truncates the output. This way, a very long cookie (name\n+ value) sent by a malicious server would be stored in the file and\nsubsequently that cookie could be read partially and crafted correctly,\nit could be treated as a different cookie for another server.\n\n- CVE-2016-8616 (authentication bypass)\n\nWhen re-using a connection, curl was doing case insensitive comparisons\nof user name and password with the existing connections.\n\nThis means that if an unused connection with proper credentials exists\nfor a protocol that has connection-scoped credentials, an attacker can\ncause that connection to be reused if s/he knows the case-insensitive\nversion of the correct password.\n\n- CVE-2016-8617 (arbitrary code execution)\n\nIn libcurl's base64 encode function, the output buffer is allocated as\nfollows without any checks on insize:\n\nmalloc( insize * 4 / 3 + 4 )\nOn systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the\nmultiplication in the expression wraps around if insize is at least 1GB\nof data. If this happens, an undersized output buffer will be\nallocated, but the full result will be written, thus causing the memory\nbehind the output buffer to be overwritten.\n\nIf a username is set directly via CURLOPT_USERNAME (or curl's -u,\n--user option), this vulnerability can be triggered. The name has to be\nat least 512MB big in a 32bit system.\n\nSystems with 64 bit versions of the size_t type are not affected by\nthis issue.\n\n- CVE-2016-8619 (arbitrary code execution)\n\nIn curl's implementation of the Kerberos authentication mechanism, the\nfunction read_data() in security.c is used to fill the necessary krb5\nstructures. When reading one of the length fields from the socket, it\nfails to ensure that the length parameter passed to realloc() is not\nset to 0.\n\nThis would lead to realloc() getting called with a zero size and when\ndoing so realloc() returns NULL and frees the memory - in contrary to\nnormal realloc() fails where it only returns NULL - causing libcurl to\nfree the memory again in the error path.\n\nThis flaw could be triggered by a malicious or just otherwise ill-\nbehaving server.\n\n- CVE-2016-8621 (information disclosure)\n\nThe curl_getdate converts a given date string into a numerical\ntimestamp and it supports a range of different formats and possibilites\nto express a date and time. The underlying date parsing function is\nalso used internally when parsing for example HTTP cookies (possibly\nreceived from remote servers) and it can be used when doing conditional\nHTTP requests.\n\nThe date parser function uses the libc sscanf() function at two places,\nwith the parsing strings \"%02d:%02d\" and \"\"%02d:%02d:%02d\". The intent\nbeing that it would parse either a string with HH:MM (two digits colon\ntwo digits) or HH:MM:SS (two digits colon two digits colon two digits).\nIf instead the piece of time that was sent in had the final digit cut\noff, thus ending with a single-digit, the date parser code would\nadvance its read pointer one byte too much and end up reading out of\nbounds.\n\n- CVE-2016-8622 (arbitrary code execution)\n\nThe URL percent-encoding decode function in libcurl is called\ncurl_easy_unescape. Internally, even if this function would be made to\nallocate a unscape destination buffer larger than 2GB, it would return\nthat new length in a signed 32 bit integer variable, thus the length\nwould get either just truncated or both truncated and turned negative.\nThat could then lead to libcurl writing outside of its heap based\nbuffer.\n\nThis can be triggered by a user on a 64bit system if the user can send\nin a custom (very large) URL to a libcurl using program.\n\n- CVE-2016-8623 (arbitrary code execution)\n\nlibcurl explicitly allows users to share cookies between multiple easy\nhandles that are concurrently employed by different threads.\nWhen cookies to be sent to a server are collected, the matching\nfunction collects all cookies to send and the cookie lock is released\nimmediately afterwards. That function however only returns a list with\nreferences back to the original strings for name, value, path and so\non. Therefore, if another thread quickly takes the lock and frees one\nof the original cookie structs together with its strings, a use-after-\nfree can occur possibly leading to arbitrary code execution. Another\nthread can also replace the contents of the cookies from separate HTTP\nresponses or API calls.\n\n- CVE-2016-8624 (insufficient validation)\n\ncurl doesn't parse the authority component of the URL correctly when\nthe host name part ends with a '#' character, and could instead be\ntricked into connecting to a different host. This may have security\nimplications if you for example use a URL parser that follows the RFC\nto check for allowed domains before using curl to request them.\n\nPassing in http://example.com#@evil.com/x.txt would wrongly make curl\nsend a request to evil.com while your browser would connect to\nexample.com given the same URL.\n\nThe problem exists for most protocol schemes.\n\n- CVE-2016-8625 (insufficient validation)\n\nWhen curl is built with libidn to handle International Domain Names\n(IDNA), it translates them to puny code for DNS resolving using the\nIDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA\nstandard. This misalignment causes problems with for example domains\nusing the German \u00df character (known as the Unicode Character 'LATIN\nSMALL LETTER SHARP S') which is used at times in the .de TLD and is\ntranslated differently in the two IDNA standards, leading to users\npotentially and unknowingly issuing network transfer requests to the\nwrong host.\n\nFor example, stra\u00dfe.de is translated into strasse.de using IDNA 2003\nbut is translated into xn--strae-oqa.de using IDNA 2008. Needless to\nsay, those host names could very well resolve to different addresses\nand be two completely independent servers. IDNA 2008 is mandatory for\n.de domains.\n\nThis name problem exists for DNS-using protocols in curl, but only when\nbuilt to use libidn.\n\nImpact\n======\n\nA remote attacker is able to execute arbitrary code, inject cookies for\narbitrary domains and disclose sensitive information via various\nvectors.\n\nReferences\n==========\n\nhttps://curl.haxx.se/changes.html#7_51_0\nhttps://curl.haxx.se/docs/adv_20161102A.html\nhttps://curl.haxx.se/docs/adv_20161102B.html\nhttps://curl.haxx.se/docs/adv_20161102C.html\nhttps://curl.haxx.se/docs/adv_20161102E.html\nhttps://curl.haxx.se/docs/adv_20161102G.html\nhttps://curl.haxx.se/docs/adv_20161102H.html\nhttps://curl.haxx.se/docs/adv_20161102I.html\nhttps://curl.haxx.se/docs/adv_20161102J.html\nhttps://curl.haxx.se/docs/adv_20161102K.html\nhttps://access.redhat.com/security/cve/CVE-2016-8615\nhttps://access.redhat.com/security/cve/CVE-2016-8616\nhttps://access.redhat.com/security/cve/CVE-2016-8617\nhttps://access.redhat.com/security/cve/CVE-2016-8619\nhttps://access.redhat.com/security/cve/CVE-2016-8621\nhttps://access.redhat.com/security/cve/CVE-2016-8622\nhttps://access.redhat.com/security/cve/CVE-2016-8623\nhttps://access.redhat.com/security/cve/CVE-2016-8624\nhttps://access.redhat.com/security/cve/CVE-2016-8625", "modified": "2016-11-03T00:00:00", "published": "2016-11-03T00:00:00", "id": "ASA-201611-9", "href": "https://security.archlinux.org/ASA-201611-9", "type": "archlinux", "title": "[ASA-201611-9] libcurl-gnutls: multiple issues", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8617", "CVE-2016-8619", "CVE-2016-8620", "CVE-2016-8621", "CVE-2016-8622", "CVE-2016-8623", "CVE-2016-8624", "CVE-2016-8625"], "description": "Arch Linux Security Advisory ASA-201611-7\n=========================================\n\nSeverity: High\nDate : 2016-11-03\nCVE-ID : CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8619\nCVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623\nCVE-2016-8624 CVE-2016-8625\nPackage : curl\nType : multiple issues\nRemote : Yes\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package curl before version 7.51.0-1 is vulnerable to multiple\nissues including arbitrary code execution, content spoofing,\ninformation disclosure, insufficient validation and authentication\nbypass.\n\nResolution\n==========\n\nUpgrade to 7.51.0-1.\n\n# pacman -Syu \"curl>=7.51.0-1\"\n\nThe problems have been fixed upstream in version 7.51.0.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2016-8615 (content spoofing)\n\nIf cookie state is written into a cookie jar file that is later read\nback and used for subsequent requests, a malicious HTTP server can\ninject new cookies for arbitrary domains into said cookie jar.\n\nThe issue pertains to the function that loads cookies into memory,\nwhich reads the specified file into a fixed-size buffer in a line-by-\nline manner using the fgets() function. If an invocation of fgets()\ncannot read the whole line into the destination buffer due to it being\ntoo small, it truncates the output. This way, a very long cookie (name\n+ value) sent by a malicious server would be stored in the file and\nsubsequently that cookie could be read partially and crafted correctly,\nit could be treated as a different cookie for another server.\n\n- CVE-2016-8616 (authentication bypass)\n\nWhen re-using a connection, curl was doing case insensitive comparisons\nof user name and password with the existing connections.\n\nThis means that if an unused connection with proper credentials exists\nfor a protocol that has connection-scoped credentials, an attacker can\ncause that connection to be reused if s/he knows the case-insensitive\nversion of the correct password.\n\n- CVE-2016-8617 (arbitrary code execution)\n\nIn libcurl's base64 encode function, the output buffer is allocated as\nfollows without any checks on insize:\n\nmalloc( insize * 4 / 3 + 4 )\nOn systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the\nmultiplication in the expression wraps around if insize is at least 1GB\nof data. If this happens, an undersized output buffer will be\nallocated, but the full result will be written, thus causing the memory\nbehind the output buffer to be overwritten.\n\nIf a username is set directly via CURLOPT_USERNAME (or curl's -u,\n--user option), this vulnerability can be triggered. The name has to be\nat least 512MB big in a 32bit system.\n\nSystems with 64 bit versions of the size_t type are not affected by\nthis issue.\n\n- CVE-2016-8619 (arbitrary code execution)\n\nIn curl's implementation of the Kerberos authentication mechanism, the\nfunction read_data() in security.c is used to fill the necessary krb5\nstructures. When reading one of the length fields from the socket, it\nfails to ensure that the length parameter passed to realloc() is not\nset to 0.\n\nThis would lead to realloc() getting called with a zero size and when\ndoing so realloc() returns NULL and frees the memory - in contrary to\nnormal realloc() fails where it only returns NULL - causing libcurl to\nfree the memory again in the error path.\n\nThis flaw could be triggered by a malicious or just otherwise ill-\nbehaving server.\n\n- CVE-2016-8620 (arbitrary code execution)\n\nThe curl tool's \"globbing\" feature allows a user to specify a numerical\nrange through which curl will iterate. It is typically specified as\n[1-5], specifying the first and the last numbers in the range. Or with\n[a-z], using letters.\n\nThe curl code for parsing the second unsigned number did not check for\na leading minus character, which allowed a user to specify [1--1] with\nno complaints and have the latter -1 number get turned into the largest\nunsigned long value the system can handle. This would ultimately cause\ncurl to write outside the dedicated malloced buffer after no less than\n100,000 iterations, since it would have room for 5 digits but not 6.\n\nWhen the range is specified with letters, and the ending letter is left\nout [L-], the code would still advance its read pointer 5 bytes even if\nthe string was just 4 bytes and end up reading outside the given\nbuffer.\n\nThis flaw exists only in the curl tool, not in the libcurl library.\n\n- CVE-2016-8621 (information disclosure)\n\nThe curl_getdate converts a given date string into a numerical\ntimestamp and it supports a range of different formats and possibilites\nto express a date and time. The underlying date parsing function is\nalso used internally when parsing for example HTTP cookies (possibly\nreceived from remote servers) and it can be used when doing conditional\nHTTP requests.\n\nThe date parser function uses the libc sscanf() function at two places,\nwith the parsing strings \"%02d:%02d\" and \"\"%02d:%02d:%02d\". The intent\nbeing that it would parse either a string with HH:MM (two digits colon\ntwo digits) or HH:MM:SS (two digits colon two digits colon two digits).\nIf instead the piece of time that was sent in had the final digit cut\noff, thus ending with a single-digit, the date parser code would\nadvance its read pointer one byte too much and end up reading out of\nbounds.\n\n- CVE-2016-8622 (arbitrary code execution)\n\nThe URL percent-encoding decode function in libcurl is called\ncurl_easy_unescape. Internally, even if this function would be made to\nallocate a unscape destination buffer larger than 2GB, it would return\nthat new length in a signed 32 bit integer variable, thus the length\nwould get either just truncated or both truncated and turned negative.\nThat could then lead to libcurl writing outside of its heap based\nbuffer.\n\nThis can be triggered by a user on a 64bit system if the user can send\nin a custom (very large) URL to a libcurl using program.\n\n- CVE-2016-8623 (arbitrary code execution)\n\nlibcurl explicitly allows users to share cookies between multiple easy\nhandles that are concurrently employed by different threads.\nWhen cookies to be sent to a server are collected, the matching\nfunction collects all cookies to send and the cookie lock is released\nimmediately afterwards. That function however only returns a list with\nreferences back to the original strings for name, value, path and so\non. Therefore, if another thread quickly takes the lock and frees one\nof the original cookie structs together with its strings, a use-after-\nfree can occur possibly leading to arbitrary code execution. Another\nthread can also replace the contents of the cookies from separate HTTP\nresponses or API calls.\n\n- CVE-2016-8624 (insufficient validation)\n\ncurl doesn't parse the authority component of the URL correctly when\nthe host name part ends with a '#' character, and could instead be\ntricked into connecting to a different host. This may have security\nimplications if you for example use a URL parser that follows the RFC\nto check for allowed domains before using curl to request them.\n\nPassing in http://example.com#@evil.com/x.txt would wrongly make curl\nsend a request to evil.com while your browser would connect to\nexample.com given the same URL.\n\nThe problem exists for most protocol schemes.\n\n- CVE-2016-8625 (insufficient validation)\n\nWhen curl is built with libidn to handle International Domain Names\n(IDNA), it translates them to puny code for DNS resolving using the\nIDNA 2003 standard, while IDNA 2008 is the modern and up-to-date IDNA\nstandard. This misalignment causes problems with for example domains\nusing the German \u00df character (known as the Unicode Character 'LATIN\nSMALL LETTER SHARP S') which is used at times in the .de TLD and is\ntranslated differently in the two IDNA standards, leading to users\npotentially and unknowingly issuing network transfer requests to the\nwrong host.\n\nFor example, stra\u00dfe.de is translated into strasse.de using IDNA 2003\nbut is translated into xn--strae-oqa.de using IDNA 2008. Needless to\nsay, those host names could very well resolve to different addresses\nand be two completely independent servers. IDNA 2008 is mandatory for\n.de domains.\n\nThis name problem exists for DNS-using protocols in curl, but only when\nbuilt to use libidn.\n\nImpact\n======\n\nA remote attacker is able to execute arbitrary code, inject cookies for\narbitrary domains and disclose sensitive information via various\nvectors.\n\nReferences\n==========\n\nhttps://curl.haxx.se/changes.html#7_51_0\nhttps://curl.haxx.se/docs/adv_20161102A.html\nhttps://curl.haxx.se/docs/adv_20161102B.html\nhttps://curl.haxx.se/docs/adv_20161102C.html\nhttps://curl.haxx.se/docs/adv_20161102E.html\nhttps://curl.haxx.se/docs/adv_20161102F.html\nhttps://curl.haxx.se/docs/adv_20161102G.html\nhttps://curl.haxx.se/docs/adv_20161102H.html\nhttps://curl.haxx.se/docs/adv_20161102I.html\nhttps://curl.haxx.se/docs/adv_20161102J.html\nhttps://curl.haxx.se/docs/adv_20161102K.html\nhttps://access.redhat.com/security/cve/CVE-2016-8615\nhttps://access.redhat.com/security/cve/CVE-2016-8616\nhttps://access.redhat.com/security/cve/CVE-2016-8617\nhttps://access.redhat.com/security/cve/CVE-2016-8619\nhttps://access.redhat.com/security/cve/CVE-2016-8620\nhttps://access.redhat.com/security/cve/CVE-2016-8621\nhttps://access.redhat.com/security/cve/CVE-2016-8622\nhttps://access.redhat.com/security/cve/CVE-2016-8623\nhttps://access.redhat.com/security/cve/CVE-2016-8624\nhttps://access.redhat.com/security/cve/CVE-2016-8625", "modified": "2016-11-03T00:00:00", "published": "2016-11-03T00:00:00", "id": "ASA-201611-7", "href": "https://security.archlinux.org/ASA-201611-7", "type": "archlinux", "title": "[ASA-201611-7] curl: multiple issues", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-09-09T04:25:37", "description": "The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Fix TFTP small blocksize heap buffer overflow \n\n462\n\n - Security Fixes [OraBug: 28939992]\n\n - CVE-2016-8615 cookie injection for other servers \n\n - CVE-2016-8616 case insensitive password comparison \n\n - CVE-2016-8617 OOB write via unchecked multiplication \n\n - CVE-2016-8618 double-free in curl_maprintf \n\n - CVE-2016-8619 double-free in krb5 code \n\n - CVE-2016-8621 curl_getdate read out of bounds \n\n - CVE-2016-8623 Use-after-free via shared cookies \n\n - CVE-2016-8624 invalid URL parsing with # \n\n - use PK11_CreateManagedGenericObject in libcurl to\n prevent memory leak \n\n - fix auth failure with duplicated WWW-Authenticate header\n (#1757643)", "edition": 2, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-09-02T00:00:00", "title": "OracleVM 3.4 : curl (OVMSA-2020-0035)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8624", "CVE-2019-5482", "CVE-2016-8621"], "modified": "2020-09-02T00:00:00", "cpe": ["p-cpe:/a:oracle:vm:libcurl", "cpe:/o:oracle:vm_server:3.4", "p-cpe:/a:oracle:vm:curl"], "id": "ORACLEVM_OVMSA-2020-0035.NASL", "href": "https://www.tenable.com/plugins/nessus/140168", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from OracleVM\n# Security Advisory OVMSA-2020-0035.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140168);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/04\");\n\n script_cve_id(\"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8621\", \"CVE-2016-8623\", \"CVE-2016-8624\", \"CVE-2019-5482\");\n\n script_name(english:\"OracleVM 3.4 : curl (OVMSA-2020-0035)\");\n script_summary(english:\"Checks the RPM output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote OracleVM host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote OracleVM system is missing necessary patches to address\ncritical security updates :\n\n - Fix TFTP small blocksize heap buffer overflow \n\n462\n\n - Security Fixes [OraBug: 28939992]\n\n - CVE-2016-8615 cookie injection for other servers \n\n - CVE-2016-8616 case insensitive password comparison \n\n - CVE-2016-8617 OOB write via unchecked multiplication \n\n - CVE-2016-8618 double-free in curl_maprintf \n\n - CVE-2016-8619 double-free in krb5 code \n\n - CVE-2016-8621 curl_getdate read out of bounds \n\n - CVE-2016-8623 Use-after-free via shared cookies \n\n - CVE-2016-8624 invalid URL parsing with # \n\n - use PK11_CreateManagedGenericObject in libcurl to\n prevent memory leak \n\n - fix auth failure with duplicated WWW-Authenticate header\n (#1757643)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://curl.haxx.se/docs/CVE-2016-8615.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://curl.haxx.se/docs/CVE-2016-8616.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://curl.haxx.se/docs/CVE-2016-8617.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://curl.haxx.se/docs/CVE-2016-8618.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://curl.haxx.se/docs/CVE-2016-8619.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://curl.haxx.se/docs/CVE-2016-8621.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://curl.haxx.se/docs/CVE-2016-8623.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://curl.haxx.se/docs/CVE-2016-8624.html\"\n );\n # https://oss.oracle.com/pipermail/oraclevm-errata/2020-September/000998.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f4c2cdb6\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected curl / libcurl packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:vm:libcurl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:vm_server:3.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"OracleVM Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleVM/release\", \"Host/OracleVM/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/OracleVM/release\");\nif (isnull(release) || \"OVS\" >!< release) audit(AUDIT_OS_NOT, \"OracleVM\");\nif (! preg(pattern:\"^OVS\" + \"3\\.4\" + \"(\\.[0-9]|$)\", string:release)) audit(AUDIT_OS_NOT, \"OracleVM 3.4\", \"OracleVM \" + release);\nif (!get_kb_item(\"Host/OracleVM/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"OracleVM\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"OVS3.4\", reference:\"curl-7.19.7-54.0.2.el6_10\")) flag++;\nif (rpm_check(release:\"OVS3.4\", reference:\"libcurl-7.19.7-54.0.2.el6_10\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl / libcurl\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:44:04", "description": "CVE-2016-8615 If cookie state is written into a cookie jar file that\nis later read back and used for subsequent requests, a malicious HTTP\nserver can inject new cookies for arbitrary domains into said cookie\njar. The issue pertains to the function that loads cookies into\nmemory, which reads the specified file into a fixed-size buffer in a\nline-by-line manner using the `fgets()` function. If an invocation of\nfgets() cannot read the whole line into the destination buffer due to\nit being too small, it truncates the output. This way, a very long\ncookie (name + value) sent by a malicious server would be stored in\nthe file and subsequently that cookie could be read partially and\ncrafted correctly, it could be treated as a different cookie for\nanother server.\n\nCVE-2016-8616 When re-using a connection, curl was doing case\ninsensitive comparisons of user name and password with the existing\nconnections. This means that if an unused connection with proper\ncredentials exists for a protocol that has connection-scoped\ncredentials, an attacker can cause that connection to be reused if\ns/he knows the case-insensitive version of the correct password.\n\nCVE-2016-8617 In libcurl's base64 encode function, the output buffer\nis allocated as follows without any checks on insize: malloc( insize *\n4 / 3 + 4 ) On systems with 32-bit addresses in userspace (e.g. x86,\nARM, x32), the multiplication in the expression wraps around if insize\nis at least 1GB of data. If this happens, an undersized output buffer\nwill be allocated, but the full result will be written, thus causing\nthe memory behind the output buffer to be overwritten. Systems with 64\nbit versions of the `size_t` type are not affected by this issue.\n\nCVE-2016-8618 The libcurl API function called `curl_maprintf()` can be\ntricked into doing a double-free due to an unsafe `size_t`\nmultiplication, on systems using 32 bit `size_t` variables. The\nfunction is also used internallty in numerous situations. Systems with\n64 bit versions of the `size_t` type are not affected by this issue.\n\nCVE-2016-8619 In curl's implementation of the Kerberos authentication\nmechanism, the function `read_data()` in security.c is used to fill\nthe necessary krb5 structures. When reading one of the length fields\nfrom the socket, it fails to ensure that the length parameter passed\nto realloc() is not set to 0.\n\nCVE-2016-8621 The `curl_getdate` converts a given date string into a\nnumerical timestamp and it supports a range of different formats and\npossibilites to express a date and time. The underlying date parsing\nfunction is also used internally when parsing for example HTTP cookies\n(possibly received from remote servers) and it can be used when doing\nconditional HTTP requests.\n\nCVE-2016-8622 The URL percent-encoding decode function in libcurl is\ncalled `curl_easy_unescape`. Internally, even if this function would\nbe made to allocate a unscape destination buffer larger than 2GB, it\nwould return that new length in a signed 32 bit integer variable, thus\nthe length would get either just truncated or both truncated and\nturned negative. That could then lead to libcurl writing outside of\nits heap based buffer.\n\nCVE-2016-8623 libcurl explicitly allows users to share cookies between\nmultiple easy handles that are concurrently employed by different\nthreads. When cookies to be sent to a server are collected, the\nmatching function collects all cookies to send and the cookie lock is\nreleased immediately afterwards. That funcion however only returns a\nlist with\n\n*references* back to the original strings for name, value, path and so\non. Therefore, if another thread quickly takes the lock and frees one\nof the original cookie structs together with its strings, a\nuse-after-free can occur and lead to information disclosure. Another\nthread can also replace the contents of the cookies from separate HTTP\nresponses or API calls.\n\nCVE-2016-8624 curl doesn't parse the authority component of the URL\ncorrectly when the host name part ends with a '#' character, and could\ninstead be tricked into connecting to a different host. This may have\nsecurity implications if you for example use an URL parser that\nfollows the RFC to check for allowed domains before using curl to\nrequest them.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n7.26.0-1+wheezy17.\n\nWe recommend that you upgrade your curl packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 18, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-18T00:00:00", "title": "Debian DLA-711-1 : curl security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "modified": "2016-11-18T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libcurl4-nss-dev", "p-cpe:/a:debian:debian_linux:libcurl3", "p-cpe:/a:debian:debian_linux:libcurl3-gnutls", "p-cpe:/a:debian:debian_linux:libcurl4-gnutls-dev", "p-cpe:/a:debian:debian_linux:libcurl3-nss", "p-cpe:/a:debian:debian_linux:curl", "p-cpe:/a:debian:debian_linux:libcurl3-dbg", "cpe:/o:debian:debian_linux:7.0", "p-cpe:/a:debian:debian_linux:libcurl4-openssl-dev"], "id": "DEBIAN_DLA-711.NASL", "href": "https://www.tenable.com/plugins/nessus/94941", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-711-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94941);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\");\n\n script_name(english:\"Debian DLA-711-1 : curl security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2016-8615 If cookie state is written into a cookie jar file that\nis later read back and used for subsequent requests, a malicious HTTP\nserver can inject new cookies for arbitrary domains into said cookie\njar. The issue pertains to the function that loads cookies into\nmemory, which reads the specified file into a fixed-size buffer in a\nline-by-line manner using the `fgets()` function. If an invocation of\nfgets() cannot read the whole line into the destination buffer due to\nit being too small, it truncates the output. This way, a very long\ncookie (name + value) sent by a malicious server would be stored in\nthe file and subsequently that cookie could be read partially and\ncrafted correctly, it could be treated as a different cookie for\nanother server.\n\nCVE-2016-8616 When re-using a connection, curl was doing case\ninsensitive comparisons of user name and password with the existing\nconnections. This means that if an unused connection with proper\ncredentials exists for a protocol that has connection-scoped\ncredentials, an attacker can cause that connection to be reused if\ns/he knows the case-insensitive version of the correct password.\n\nCVE-2016-8617 In libcurl's base64 encode function, the output buffer\nis allocated as follows without any checks on insize: malloc( insize *\n4 / 3 + 4 ) On systems with 32-bit addresses in userspace (e.g. x86,\nARM, x32), the multiplication in the expression wraps around if insize\nis at least 1GB of data. If this happens, an undersized output buffer\nwill be allocated, but the full result will be written, thus causing\nthe memory behind the output buffer to be overwritten. Systems with 64\nbit versions of the `size_t` type are not affected by this issue.\n\nCVE-2016-8618 The libcurl API function called `curl_maprintf()` can be\ntricked into doing a double-free due to an unsafe `size_t`\nmultiplication, on systems using 32 bit `size_t` variables. The\nfunction is also used internallty in numerous situations. Systems with\n64 bit versions of the `size_t` type are not affected by this issue.\n\nCVE-2016-8619 In curl's implementation of the Kerberos authentication\nmechanism, the function `read_data()` in security.c is used to fill\nthe necessary krb5 structures. When reading one of the length fields\nfrom the socket, it fails to ensure that the length parameter passed\nto realloc() is not set to 0.\n\nCVE-2016-8621 The `curl_getdate` converts a given date string into a\nnumerical timestamp and it supports a range of different formats and\npossibilites to express a date and time. The underlying date parsing\nfunction is also used internally when parsing for example HTTP cookies\n(possibly received from remote servers) and it can be used when doing\nconditional HTTP requests.\n\nCVE-2016-8622 The URL percent-encoding decode function in libcurl is\ncalled `curl_easy_unescape`. Internally, even if this function would\nbe made to allocate a unscape destination buffer larger than 2GB, it\nwould return that new length in a signed 32 bit integer variable, thus\nthe length would get either just truncated or both truncated and\nturned negative. That could then lead to libcurl writing outside of\nits heap based buffer.\n\nCVE-2016-8623 libcurl explicitly allows users to share cookies between\nmultiple easy handles that are concurrently employed by different\nthreads. When cookies to be sent to a server are collected, the\nmatching function collects all cookies to send and the cookie lock is\nreleased immediately afterwards. That funcion however only returns a\nlist with\n\n*references* back to the original strings for name, value, path and so\non. Therefore, if another thread quickly takes the lock and frees one\nof the original cookie structs together with its strings, a\nuse-after-free can occur and lead to information disclosure. Another\nthread can also replace the contents of the cookies from separate HTTP\nresponses or API calls.\n\nCVE-2016-8624 curl doesn't parse the authority component of the URL\ncorrectly when the host name part ends with a '#' character, and could\ninstead be tricked into connecting to a different host. This may have\nsecurity implications if you for example use an URL parser that\nfollows the RFC to check for allowed domains before using curl to\nrequest them.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n7.26.0-1+wheezy17.\n\nWe recommend that you upgrade your curl packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/11/msg00018.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/curl\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl3-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl3-gnutls\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl3-nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl4-gnutls-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl4-nss-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libcurl4-openssl-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"curl\", reference:\"7.26.0-1+wheezy17\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl3\", reference:\"7.26.0-1+wheezy17\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl3-dbg\", reference:\"7.26.0-1+wheezy17\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl3-gnutls\", reference:\"7.26.0-1+wheezy17\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl3-nss\", reference:\"7.26.0-1+wheezy17\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl4-gnutls-dev\", reference:\"7.26.0-1+wheezy17\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl4-nss-dev\", reference:\"7.26.0-1+wheezy17\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl4-openssl-dev\", reference:\"7.26.0-1+wheezy17\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T04:47:16", "description": "Description of changes:\n\n[7.29.0-51.0.1]\n- Security Fixes [OraBug: 28939992]\n- CVE-2016-8615 cookie injection for other servers \n(https://curl.haxx.se/docs/CVE-2016-8615.html)\n- CVE-2016-8616 case insensitive password comparison \n(https://curl.haxx.se/docs/CVE-2016-8616.html)\n- CVE-2016-8617 OOB write via unchecked multiplication \n(https://curl.haxx.se/docs/CVE-2016-8617.html)\n- CVE-2016-8618 double-free in curl_maprintf \n(https://curl.haxx.se/docs/CVE-2016-8618.html)\n- CVE-2016-8619 double-free in krb5 code \n(https://curl.haxx.se/docs/CVE-2016-8619.html)\n- CVE-2016-8621 curl_getdate read out of bounds \n(https://curl.haxx.se/docs/CVE-2016-8621.html)\n- CVE-2016-8622 URL unescape heap overflow via integer truncation \n(https://curl.haxx.se/docs/CVE-2016-8622.html)\n- CVE-2016-8623 Use-after-free via shared cookies \n(https://curl.haxx.se/docs/CVE-2016-8623.html)\n- CVE-2016-8624 invalid URL parsing with # \n(https://curl.haxx.se/docs/CVE-2016-8624.html)", "edition": 17, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-24T00:00:00", "title": "Oracle Linux 6 / 7 : curl (ELSA-2019-4652)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:curl", "p-cpe:/a:oracle:linux:libcurl-devel", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:libcurl"], "id": "ORACLELINUX_ELSA-2019-4652.NASL", "href": "https://www.tenable.com/plugins/nessus/125380", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2019-4652.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125380);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/15\");\n\n script_cve_id(\"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\");\n\n script_name(english:\"Oracle Linux 6 / 7 : curl (ELSA-2019-4652)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Description of changes:\n\n[7.29.0-51.0.1]\n- Security Fixes [OraBug: 28939992]\n- CVE-2016-8615 cookie injection for other servers \n(https://curl.haxx.se/docs/CVE-2016-8615.html)\n- CVE-2016-8616 case insensitive password comparison \n(https://curl.haxx.se/docs/CVE-2016-8616.html)\n- CVE-2016-8617 OOB write via unchecked multiplication \n(https://curl.haxx.se/docs/CVE-2016-8617.html)\n- CVE-2016-8618 double-free in curl_maprintf \n(https://curl.haxx.se/docs/CVE-2016-8618.html)\n- CVE-2016-8619 double-free in krb5 code \n(https://curl.haxx.se/docs/CVE-2016-8619.html)\n- CVE-2016-8621 curl_getdate read out of bounds \n(https://curl.haxx.se/docs/CVE-2016-8621.html)\n- CVE-2016-8622 URL unescape heap overflow via integer truncation \n(https://curl.haxx.se/docs/CVE-2016-8622.html)\n- CVE-2016-8623 Use-after-free via shared cookies \n(https://curl.haxx.se/docs/CVE-2016-8623.html)\n- CVE-2016-8624 invalid URL parsing with # \n(https://curl.haxx.se/docs/CVE-2016-8624.html)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2019-May/008755.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2019-May/008756.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected curl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libcurl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libcurl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6 / 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"curl-7.19.7-53.0.2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"libcurl-7.19.7-53.0.2.el6_9\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"libcurl-devel-7.19.7-53.0.2.el6_9\")) flag++;\n\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"curl-7.29.0-51.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"libcurl-7.29.0-51.0.1.el7\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"libcurl-devel-7.29.0-51.0.1.el7\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl / libcurl / libcurl-devel\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T10:53:41", "description": "The cURL project reports\n\n- cookie injection for other servers\n\n- case insensitive password comparison\n\n- OOB write via unchecked multiplication\n\n- double-free in curl_maprintf\n\n- double-free in krb5 code\n\n- glob parser write/read out of bounds\n\n- curl_getdate read out of bounds\n\n- URL unescape heap overflow via integer truncation\n\n- Use-after-free via shared cookies\n\n- invalid URL parsing with '#'\n\n- IDNA 2003 makes curl use wrong host", "edition": 23, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-03T00:00:00", "title": "FreeBSD : cURL -- multiple vulnerabilities (765feb7d-a0d1-11e6-a881-b499baebfeaf)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8625", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "modified": "2016-11-03T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:curl"], "id": "FREEBSD_PKG_765FEB7DA0D111E6A881B499BAEBFEAF.NASL", "href": "https://www.tenable.com/plugins/nessus/94493", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94493);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8620\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\", \"CVE-2016-8625\");\n\n script_name(english:\"FreeBSD : cURL -- multiple vulnerabilities (765feb7d-a0d1-11e6-a881-b499baebfeaf)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The cURL project reports\n\n- cookie injection for other servers\n\n- case insensitive password comparison\n\n- OOB write via unchecked multiplication\n\n- double-free in curl_maprintf\n\n- double-free in krb5 code\n\n- glob parser write/read out of bounds\n\n- curl_getdate read out of bounds\n\n- URL unescape heap overflow via integer truncation\n\n- Use-after-free via shared cookies\n\n- invalid URL parsing with '#'\n\n- IDNA 2003 makes curl use wrong host\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://curl.haxx.se/docs/security.html\"\n );\n # https://vuxml.freebsd.org/freebsd/765feb7d-a0d1-11e6-a881-b499baebfeaf.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a1f13ec8\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"curl>=7.1<7.51.0\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T09:10:56", "description": "New curl packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, 14.2, and -current to fix security issues.", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-04T00:00:00", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : curl (SSA:2016-308-01)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8625", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "modified": "2016-11-04T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.2", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:13.37", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:13.0", "cpe:/o:slackware:slackware_linux", "p-cpe:/a:slackware:slackware_linux:curl", "cpe:/o:slackware:slackware_linux:13.1"], "id": "SLACKWARE_SSA_2016-308-01.NASL", "href": "https://www.tenable.com/plugins/nessus/94516", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2016-308-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94516);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8620\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\", \"CVE-2016-8625\");\n script_xref(name:\"SSA\", value:\"2016-308-01\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : curl (SSA:2016-308-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New curl packages are available for Slackware 13.0, 13.1, 13.37,\n14.0, 14.1, 14.2, and -current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.661139\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?34b08de2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected curl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"i486\", pkgnum:\"1_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"i486\", pkgnum:\"1_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"i486\", pkgnum:\"1_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"curl\", pkgver:\"7.51.0\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:51:53", "description": "According to the versions of the curl packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - Multiple integer overflows in the (1) curl_escape, (2)\n curl_easy_escape, (3) curl_unescape, and (4)\n curl_easy_unescape functions in libcurl before 7.50.3\n allow attackers to have unspecified impact via a string\n of length 0xffffffff, which triggers a heap-based\n buffer overflow.(CVE-2016-7167)\n\n - ** RESERVED ** This candidate has been reserved by an\n organization or individual that will use it when\n announcing a new security problem. When the candidate\n has been publicized, the details for this candidate\n will be\n provided.(CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE\n -2016-8618,CVE-2016-8619,CVE-2016-8621,CVE-2016-8622,CV\n E-2016-8623,CVE-2016-8624)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : curl (EulerOS-SA-2017-1036)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-7167", "CVE-2016-8621"], "modified": "2017-05-01T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:libcurl-devel", "p-cpe:/a:huawei:euleros:curl", "p-cpe:/a:huawei:euleros:libcurl", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2017-1036.NASL", "href": "https://www.tenable.com/plugins/nessus/99881", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99881);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-7167\",\n \"CVE-2016-8615\",\n \"CVE-2016-8616\",\n \"CVE-2016-8617\",\n \"CVE-2016-8618\",\n \"CVE-2016-8619\",\n \"CVE-2016-8621\",\n \"CVE-2016-8622\",\n \"CVE-2016-8623\",\n \"CVE-2016-8624\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : curl (EulerOS-SA-2017-1036)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the curl packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - Multiple integer overflows in the (1) curl_escape, (2)\n curl_easy_escape, (3) curl_unescape, and (4)\n curl_easy_unescape functions in libcurl before 7.50.3\n allow attackers to have unspecified impact via a string\n of length 0xffffffff, which triggers a heap-based\n buffer overflow.(CVE-2016-7167)\n\n - ** RESERVED ** This candidate has been reserved by an\n organization or individual that will use it when\n announcing a new security problem. When the candidate\n has been publicized, the details for this candidate\n will be\n provided.(CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE\n -2016-8618,CVE-2016-8619,CVE-2016-8621,CVE-2016-8622,CV\n E-2016-8623,CVE-2016-8624)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1036\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a4651f03\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected curl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libcurl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libcurl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"curl-7.29.0-35.h11\",\n \"libcurl-7.29.0-35.h11\",\n \"libcurl-devel-7.29.0-35.h11\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T08:51:53", "description": "According to the versions of the curl packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - Multiple integer overflows in the (1) curl_escape, (2)\n curl_easy_escape, (3) curl_unescape, and (4)\n curl_easy_unescape functions in libcurl before 7.50.3\n allow attackers to have unspecified impact via a string\n of length 0xffffffff, which triggers a heap-based\n buffer overflow.(CVE-2016-7167)\n\n - ** RESERVED ** This candidate has been reserved by an\n organization or individual that will use it when\n announcing a new security problem. When the candidate\n has been publicized, the details for this candidate\n will be\n provided.(CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE\n -2016-8618,CVE-2016-8619,CVE-2016-8621,CVE-2016-8622,CV\n E-2016-8623,CVE-2016-8624)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 25, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP2 : curl (EulerOS-SA-2017-1035)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-7167", "CVE-2016-8621"], "modified": "2017-05-01T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:libcurl-devel", "p-cpe:/a:huawei:euleros:curl", "p-cpe:/a:huawei:euleros:libcurl", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2017-1035.NASL", "href": "https://www.tenable.com/plugins/nessus/99880", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99880);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-7167\",\n \"CVE-2016-8615\",\n \"CVE-2016-8616\",\n \"CVE-2016-8617\",\n \"CVE-2016-8618\",\n \"CVE-2016-8619\",\n \"CVE-2016-8621\",\n \"CVE-2016-8622\",\n \"CVE-2016-8623\",\n \"CVE-2016-8624\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : curl (EulerOS-SA-2017-1035)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the curl packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - Multiple integer overflows in the (1) curl_escape, (2)\n curl_easy_escape, (3) curl_unescape, and (4)\n curl_easy_unescape functions in libcurl before 7.50.3\n allow attackers to have unspecified impact via a string\n of length 0xffffffff, which triggers a heap-based\n buffer overflow.(CVE-2016-7167)\n\n - ** RESERVED ** This candidate has been reserved by an\n organization or individual that will use it when\n announcing a new security problem. When the candidate\n has been publicized, the details for this candidate\n will be\n provided.(CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE\n -2016-8618,CVE-2016-8619,CVE-2016-8621,CVE-2016-8622,CV\n E-2016-8623,CVE-2016-8624)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1035\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a794fbb5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected curl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libcurl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:libcurl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"curl-7.29.0-35.h11\",\n \"libcurl-7.29.0-35.h11\",\n \"libcurl-devel-7.29.0-35.h11\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:14:28", "description": " - fix cookie injection for other servers (CVE-2016-8615)\n\n - compare user/passwd case-sensitively while reusing\n connections (CVE-2016-8616)\n\n - base64: check for integer overflow on large input\n (CVE-2016-8617)\n\n - fix double-free in krb5 code (CVE-2016-8619)\n\n - fix double-free in curl_maprintf() (CVE-2016-8618)\n\n - fix glob parser write/read out of bounds (CVE-2016-8620)\n\n - fix out-of-bounds read in curl_getdate() (CVE-2016-8621)\n\n - fix URL unescape heap overflow via integer truncation\n (CVE-2016-8622)\n\n - fix use-after-free via shared cookies (CVE-2016-8623)\n\n - urlparse: accept '#' as end of host name (CVE-2016-8624)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 18, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-21T00:00:00", "title": "Fedora 25 : curl (2016-89769648a0)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "modified": "2016-11-21T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:25", "p-cpe:/a:fedoraproject:fedora:curl"], "id": "FEDORA_2016-89769648A0.NASL", "href": "https://www.tenable.com/plugins/nessus/95009", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-89769648a0.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(95009);\n script_version(\"3.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8620\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\");\n script_xref(name:\"FEDORA\", value:\"2016-89769648a0\");\n\n script_name(english:\"Fedora 25 : curl (2016-89769648a0)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - fix cookie injection for other servers (CVE-2016-8615)\n\n - compare user/passwd case-sensitively while reusing\n connections (CVE-2016-8616)\n\n - base64: check for integer overflow on large input\n (CVE-2016-8617)\n\n - fix double-free in krb5 code (CVE-2016-8619)\n\n - fix double-free in curl_maprintf() (CVE-2016-8618)\n\n - fix glob parser write/read out of bounds (CVE-2016-8620)\n\n - fix out-of-bounds read in curl_getdate() (CVE-2016-8621)\n\n - fix URL unescape heap overflow via integer truncation\n (CVE-2016-8622)\n\n - fix use-after-free via shared cookies (CVE-2016-8623)\n\n - urlparse: accept '#' as end of host name (CVE-2016-8624)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-89769648a0\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected curl package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:25\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^25([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 25\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC25\", reference:\"curl-7.51.0-1.fc25\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T09:49:50", "description": "Several vulnerabilities were discovered in cURL, an URL transfer\nlibrary :\n\n - CVE-2016-8615\n It was discovered that a malicious HTTP server could\n inject new cookies for arbitrary domains into a cookie\n jar.\n\n - CVE-2016-8616\n It was discovered that when re-using a connection, curl\n was doing case insensitive comparisons of user name and\n password with the existing connections.\n\n - CVE-2016-8617\n It was discovered that on systems with 32-bit addresses\n in userspace (e.g. x86, ARM, x32), the output buffer\n size value calculated in the base64 encode function\n would wrap around if input size was at least 1GB of\n data, causing an undersized output buffer to be\n allocated.\n\n - CVE-2016-8618\n It was discovered that the curl_maprintf() function\n could be tricked into doing a double-free due to an\n unsafe size_t multiplication on systems using 32 bit\n size_t variables.\n\n - CVE-2016-8619\n It was discovered that the Kerberos implementation could\n be tricked into doing a double-free when reading one of\n the length fields from a socket.\n\n - CVE-2016-8620\n It was discovered that the curl tool's 'globbing'\n feature could write to invalid memory areas when parsing\n invalid ranges.\n\n - CVE-2016-8621\n It was discovered that the function curl_getdate could\n read out of bounds when parsing invalid date strings.\n\n - CVE-2016-8622\n It was discovered that the URL percent-encoding decode\n function would return a signed 32bit integer variable as\n length, even though it allocated a destination buffer\n larger than 2GB, which would lead to a out-of-bounds\n write.\n\n - CVE-2016-8623\n It was discovered that libcurl could access an\n already-freed memory area due to concurrent access to\n shared cookies. This could lead to a denial of service\n or disclosure of sensitive information.\n\n - CVE-2016-8624\n It was discovered that curl wouldn't parse the authority\n component of a URL correctly when the host name part\n ends with a '#' character, and could be tricked into\n connecting to a different host.", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-07T00:00:00", "title": "Debian DSA-3705-1 : curl - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "modified": "2016-11-07T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:curl"], "id": "DEBIAN_DSA-3705.NASL", "href": "https://www.tenable.com/plugins/nessus/94588", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3705. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(94588);\n script_version(\"2.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8620\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\");\n script_xref(name:\"DSA\", value:\"3705\");\n\n script_name(english:\"Debian DSA-3705-1 : curl - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities were discovered in cURL, an URL transfer\nlibrary :\n\n - CVE-2016-8615\n It was discovered that a malicious HTTP server could\n inject new cookies for arbitrary domains into a cookie\n jar.\n\n - CVE-2016-8616\n It was discovered that when re-using a connection, curl\n was doing case insensitive comparisons of user name and\n password with the existing connections.\n\n - CVE-2016-8617\n It was discovered that on systems with 32-bit addresses\n in userspace (e.g. x86, ARM, x32), the output buffer\n size value calculated in the base64 encode function\n would wrap around if input size was at least 1GB of\n data, causing an undersized output buffer to be\n allocated.\n\n - CVE-2016-8618\n It was discovered that the curl_maprintf() function\n could be tricked into doing a double-free due to an\n unsafe size_t multiplication on systems using 32 bit\n size_t variables.\n\n - CVE-2016-8619\n It was discovered that the Kerberos implementation could\n be tricked into doing a double-free when reading one of\n the length fields from a socket.\n\n - CVE-2016-8620\n It was discovered that the curl tool's 'globbing'\n feature could write to invalid memory areas when parsing\n invalid ranges.\n\n - CVE-2016-8621\n It was discovered that the function curl_getdate could\n read out of bounds when parsing invalid date strings.\n\n - CVE-2016-8622\n It was discovered that the URL percent-encoding decode\n function would return a signed 32bit integer variable as\n length, even though it allocated a destination buffer\n larger than 2GB, which would lead to a out-of-bounds\n write.\n\n - CVE-2016-8623\n It was discovered that libcurl could access an\n already-freed memory area due to concurrent access to\n shared cookies. This could lead to a denial of service\n or disclosure of sensitive information.\n\n - CVE-2016-8624\n It was discovered that curl wouldn't parse the authority\n component of a URL correctly when the host name part\n ends with a '#' character, and could be tricked into\n connecting to a different host.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-8615\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-8616\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-8617\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-8618\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-8619\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-8620\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-8621\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-8622\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-8623\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2016-8624\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/curl\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2016/dsa-3705\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the curl packages.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 7.38.0-4+deb8u5.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/07\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"curl\", reference:\"7.38.0-4+deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcurl3\", reference:\"7.38.0-4+deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcurl3-dbg\", reference:\"7.38.0-4+deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcurl3-gnutls\", reference:\"7.38.0-4+deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcurl3-nss\", reference:\"7.38.0-4+deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcurl4-doc\", reference:\"7.38.0-4+deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcurl4-gnutls-dev\", reference:\"7.38.0-4+deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcurl4-nss-dev\", reference:\"7.38.0-4+deb8u5\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libcurl4-openssl-dev\", reference:\"7.38.0-4+deb8u5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:19:28", "description": "This build resolves the following issues :\n\nCVE-2016-8615 : Cookie injection for other servers\n\nCVE-2016-8616 : Case insensitive password comparison\n\nCVE-2016-8617 : Out-of-bounds write via unchecked multiplication\n\nCVE-2016-8618 : Double-free in curl_maprintf\n\nCVE-2016-8619 : Double-free in krb5 code\n\nCVE-2016-8620 : Glob parser write/read out of bounds\n\nCVE-2016-8621 : curl_getdate out-of-bounds read\n\nCVE-2016-8622 : URL unescape heap overflow via integer truncation\n\nCVE-2016-8623 : Use-after-free via shared cookies\n\nCVE-2016-8624 : Invalid URL parsing with '#'", "edition": 22, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-11T00:00:00", "title": "Amazon Linux AMI : curl (ALAS-2016-766)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:libcurl", "p-cpe:/a:amazon:linux:libcurl-devel", "p-cpe:/a:amazon:linux:curl-debuginfo", "cpe:/o:amazon:linux", "p-cpe:/a:amazon:linux:curl"], "id": "ALA_ALAS-2016-766.NASL", "href": "https://www.tenable.com/plugins/nessus/94686", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-766.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94686);\n script_version(\"2.3\");\n script_cvs_date(\"Date: 2018/10/01 10:24:12\");\n\n script_cve_id(\"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8620\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\");\n script_xref(name:\"ALAS\", value:\"2016-766\");\n\n script_name(english:\"Amazon Linux AMI : curl (ALAS-2016-766)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This build resolves the following issues :\n\nCVE-2016-8615 : Cookie injection for other servers\n\nCVE-2016-8616 : Case insensitive password comparison\n\nCVE-2016-8617 : Out-of-bounds write via unchecked multiplication\n\nCVE-2016-8618 : Double-free in curl_maprintf\n\nCVE-2016-8619 : Double-free in krb5 code\n\nCVE-2016-8620 : Glob parser write/read out of bounds\n\nCVE-2016-8621 : curl_getdate out-of-bounds read\n\nCVE-2016-8622 : URL unescape heap overflow via integer truncation\n\nCVE-2016-8623 : Use-after-free via shared cookies\n\nCVE-2016-8624 : Invalid URL parsing with '#'\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2016-766.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update curl' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:libcurl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:libcurl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"curl-7.47.1-9.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"curl-debuginfo-7.47.1-9.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"libcurl-7.47.1-9.66.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"libcurl-devel-7.47.1-9.66.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl / curl-debuginfo / libcurl / libcurl-devel\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:21:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "description": "Package : curl\nVersion : 7.26.0-1+wheezy17\nCVE ID : CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618\n CVE-2016-8619 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623\n CVE-2016-8624\n\n\nCVE-2016-8615\n If cookie state is written into a cookie jar file that is later read\n back and used for subsequent requests, a malicious HTTP server can\n inject new cookies for arbitrary domains into said cookie jar.\n The issue pertains to the function that loads cookies into memory, which\n reads the specified file into a fixed-size buffer in a line-by-line\n manner using the `fgets()` function. If an invocation of fgets() cannot\n read the whole line into the destination buffer due to it being too\n small, it truncates the output.\n This way, a very long cookie (name + value) sent by a malicious server\n would be stored in the file and subsequently that cookie could be read\n partially and crafted correctly, it could be treated as a different\n cookie for another server.\n\nCVE-2016-8616\n When re-using a connection, curl was doing case insensitive comparisons\n of user name and password with the existing connections.\n This means that if an unused connection with proper credentials exists\n for a protocol that has connection-scoped credentials, an attacker can\n cause that connection to be reused if s/he knows the case-insensitive\n version of the correct password.\n\nCVE-2016-8617\n In libcurl&#x27;s base64 encode function, the output buffer is allocated\n as follows without any checks on insize:\n malloc( insize * 4 / 3 + 4 )\n On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32),\n the multiplication in the expression wraps around if insize is at\n least 1GB of data. If this happens, an undersized output buffer will\n be allocated, but the full result will be written, thus causing the\n memory behind the output buffer to be overwritten.\n Systems with 64 bit versions of the `size_t` type are not affected\n by this issue.\n\nCVE-2016-8618\n The libcurl API function called `curl_maprintf()` can be tricked into\n doing a double-free due to an unsafe `size_t` multiplication, on\n systems using 32 bit `size_t` variables. The function is also used\n internallty in numerous situations.\n Systems with 64 bit versions of the `size_t` type are not affected\n by this issue.\n\nCVE-2016-8619\n In curl&#x27;s implementation of the Kerberos authentication mechanism,\n the function `read_data()` in security.c is used to fill the\n necessary krb5 structures. When reading one of the length fields from\n the socket, it fails to ensure that the length parameter passed to\n realloc() is not set to 0.\n\nCVE-2016-8621\n The `curl_getdate` converts a given date string into a numerical\n timestamp and it supports a range of different formats and\n possibilites to express a date and time. The underlying date\n parsing function is also used internally when parsing for example\n HTTP cookies (possibly received from remote servers) and it can be\n used when doing conditional HTTP requests.\n\nCVE-2016-8622\n The URL percent-encoding decode function in libcurl is called\n `curl_easy_unescape`. Internally, even if this function would be\n made to allocate a unscape destination buffer larger than 2GB, it\n would return that new length in a signed 32 bit integer variable,\n thus the length would get either just truncated or both truncated\n and turned negative. That could then lead to libcurl writing outside\n of its heap based buffer.\n\nCVE-2016-8623\n libcurl explicitly allows users to share cookies between multiple\n easy handles that are concurrently employed by different threads.\n When cookies to be sent to a server are collected, the matching\n function collects all cookies to send and the cookie lock is released\n immediately afterwards. That funcion however only returns a list with\n *references* back to the original strings for name, value, path and so\n on. Therefore, if another thread quickly takes the lock and frees one\n of the original cookie structs together with its strings,\n a use-after-free can occur and lead to information disclosure. Another\n thread can also replace the contents of the cookies from separate HTTP\n responses or API calls.\n\nCVE-2016-8624\n curl doesn&#x27;t parse the authority component of the URL correctly when\n the host name part ends with a &#x27;#&#x27; character, and could instead be\n tricked into connecting to a different host. This may have security\n implications if you for example use an URL parser that follows the RFC\n to check for allowed domains before using curl to request them.\n\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n7.26.0-1+wheezy17.\n\nWe recommend that you upgrade your curl packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2016-11-17T21:50:21", "published": "2016-11-17T21:50:21", "id": "DEBIAN:DLA-711-1:02E2B", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201611/msg00018.html", "title": "[SECURITY] [DLA 711-1] curl security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T01:09:35", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3705-1 security@debian.org\nhttps://www.debian.org/security/ Alessandro Ghedini\nNovember 03, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : curl\nCVE ID : CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618\n CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622\n CVE-2016-8623 CVE-2016-8624\n\nSeveral vulnerabilities were discovered in cURL, an URL transfer library:\n\nCVE-2016-8615\n\n It was discovered that a malicious HTTP server could inject new\n cookies for arbitrary domains into a cookie jar.\n\nCVE-2016-8616\n\n It was discovered that when re-using a connection, curl was doing case\n insensitive comparisons of user name and password with the existing\n connections.\n\nCVE-2016-8617\n\n It was discovered that on systems with 32-bit addresses in userspace\n (e.g. x86, ARM, x32), the output buffer size value calculated in the\n base64 encode function would wrap around if input size was at least\n 1GB of data, causing an undersized output buffer to be allocated.\n\nCVE-2016-8618\n\n It was discovered that the curl_maprintf() function could be tricked\n into doing a double-free due to an unsafe size_t multiplication on\n systems using 32 bit size_t variables.\n\nCVE-2016-8619\n\n It was discovered that that the Kerberos implementation could be\n tricked into doing a double-free when reading one of the length fields\n from a socket.\n\nCVE-2016-8620\n\n It was discovered that the curl tool&#x27;s &quot;globbing&quot; feature could write\n to invalid memory areas when parsing invalid ranges.\n\nCVE-2016-8621\n\n It was discovered that the function curl_getdate could read out of\n bounds when parsing invalid date strings.\n\nCVE-2016-8622\n\n It was discovered that the URL percent-encoding decode function would\n return a signed 32bit integer variable as length, even though it\n allocated a destination buffer larger than 2GB, which would lead to\n a out-of-bounds write.\n\nCVE-2016-8623\n\n It was discovered that libcurl could access an already-freed memory\n area due to concurrent access to shared cookies. This could lead to\n a denial of service or disclosure of sensitive information.\n\nCVE-2016-8624\n\n It was discovered that curl wouldn&#x27;t parse the authority component of\n a URL correctly when the host name part ends with a &#x27;#&#x27; character,\n and could be tricked into connecting to a different host.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 7.38.0-4+deb8u5.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 7.51.0-1.\n\nWe recommend that you upgrade your curl packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 8, "modified": "2016-11-03T23:15:32", "published": "2016-11-03T23:15:32", "id": "DEBIAN:DSA-3705-1:8640E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00288.html", "title": "[SECURITY] [DSA 3705-1] curl security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2020-10-25T16:36:07", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8617", "CVE-2016-8618", "CVE-2016-8619", "CVE-2016-8620", "CVE-2016-8621", "CVE-2016-8622", "CVE-2016-8623", "CVE-2016-8624", "CVE-2016-8625"], "description": "New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\n14.2, and -current to fix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/curl-7.51.0-i586-1_slack14.2.txz: Upgraded.\n This release fixes security issues:\n CVE-2016-8615: cookie injection for other servers\n CVE-2016-8616: case insensitive password comparison\n CVE-2016-8617: OOB write via unchecked multiplication\n CVE-2016-8618: double-free in curl_maprintf\n CVE-2016-8619: double-free in krb5 code\n CVE-2016-8620: glob parser write/read out of bounds\n CVE-2016-8621: curl_getdate read out of bounds\n CVE-2016-8622: URL unescape heap overflow via integer truncation\n CVE-2016-8623: Use-after-free via shared cookies\n CVE-2016-8624: invalid URL parsing with '#'\n CVE-2016-8625: IDNA 2003 makes curl use wrong host\n For more information, see:\n https://curl.haxx.se/docs/adv_20161102A.html\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8615\n https://curl.haxx.se/docs/adv_20161102B.html\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8616\n https://curl.haxx.se/docs/adv_20161102C.html\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8617\n https://curl.haxx.se/docs/adv_20161102D.html\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8618\n https://curl.haxx.se/docs/adv_20161102E.html\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8619\n https://curl.haxx.se/docs/adv_20161102F.html\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8620\n https://curl.haxx.se/docs/adv_20161102G.html\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8621\n https://curl.haxx.se/docs/adv_20161102H.html\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8622\n https://curl.haxx.se/docs/adv_20161102I.html\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8623\n https://curl.haxx.se/docs/adv_20161102J.html\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8624\n https://curl.haxx.se/docs/adv_20161102K.html\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8625\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/curl-7.51.0-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/curl-7.51.0-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/curl-7.51.0-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/curl-7.51.0-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/curl-7.51.0-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/curl-7.51.0-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/curl-7.51.0-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/curl-7.51.0-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/curl-7.51.0-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/curl-7.51.0-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/curl-7.51.0-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/curl-7.51.0-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/curl-7.51.0-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/curl-7.51.0-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\naf2372bf676474745a0dc09a3f63022c curl-7.51.0-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n2895acf3b040c98bc36136a42d4337da curl-7.51.0-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\nff8531dcb458e6e004ffc0d1834f79ff curl-7.51.0-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n209d8f20153c0f71f7de42e79f61b754 curl-7.51.0-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n23ae80080d7dd434e2b34857ca5b9ded curl-7.51.0-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\nb43c2714e7128f7d37b375ff2095500f curl-7.51.0-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\n82bc3fafa0363354ea84cd1b6cf13953 curl-7.51.0-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\nb23076850711c42e0cd411791f0b84a6 curl-7.51.0-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n2667ed9a40a2fd4cfbc0c9ef48838952 curl-7.51.0-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nfa92dc36cf68a6e7ec4a1313f9b852ad curl-7.51.0-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n464cf649cecc4003917a21269a7ce1af curl-7.51.0-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n269d377e735a243d4b806d81b874ed1a curl-7.51.0-x86_64-1_slack14.2.txz\n\nSlackware -current package:\n3e86800cdae36cda905cd35e3738c8d6 n/curl-7.51.0-i586-1.txz\n\nSlackware x86_64 -current package:\nabe70641a1b24661e96ddc3537748d4c n/curl-7.51.0-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg curl-7.51.0-i586-1_slack14.2.txz", "modified": "2016-11-04T03:34:42", "published": "2016-11-04T03:34:42", "id": "SSA-2016-308-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.661139", "type": "slackware", "title": "[slackware-security] curl", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:29", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8625", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "description": "\nThe cURL project reports\n\n\ncookie injection for other servers\ncase insensitive password comparison\nOOB write via unchecked multiplication\ndouble-free in curl_maprintf\ndouble-free in krb5 code\nglob parser write/read out of bounds\ncurl_getdate read out of bounds\nURL unescape heap overflow via integer truncation\nUse-after-free via shared cookies\ninvalid URL parsing with '#'\nIDNA 2003 makes curl use wrong host\n\n\n", "edition": 3, "modified": "2016-11-02T00:00:00", "published": "2016-11-02T00:00:00", "id": "765FEB7D-A0D1-11E6-A881-B499BAEBFEAF", "href": "https://vuxml.freebsd.org/freebsd/765feb7d-a0d1-11e6-a881-b499baebfeaf.html", "title": "cURL -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:35:58", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8625", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "description": "[7.29.0-51.0.1]\n- Security Fixes [OraBug: 28939992]\n- CVE-2016-8615 cookie injection for other servers (https://curl.haxx.se/docs/CVE-2016-8615.html)\n- CVE-2016-8616 case insensitive password comparison (https://curl.haxx.se/docs/CVE-2016-8616.html)\n- CVE-2016-8617 OOB write via unchecked multiplication (https://curl.haxx.se/docs/CVE-2016-8617.html)\n- CVE-2016-8618 double-free in curl_maprintf (https://curl.haxx.se/docs/CVE-2016-8618.html)\n- CVE-2016-8619 double-free in krb5 code (https://curl.haxx.se/docs/CVE-2016-8619.html)\n- CVE-2016-8621 curl_getdate read out of bounds (https://curl.haxx.se/docs/CVE-2016-8621.html)\n- CVE-2016-8622 URL unescape heap overflow via integer truncation (https://curl.haxx.se/docs/CVE-2016-8622.html)\n- CVE-2016-8623 Use-after-free via shared cookies (https://curl.haxx.se/docs/CVE-2016-8623.html)\n- CVE-2016-8624 invalid URL parsing with # (https://curl.haxx.se/docs/CVE-2016-8624.html)", "edition": 2, "modified": "2019-05-21T00:00:00", "published": "2019-05-21T00:00:00", "id": "ELSA-2019-4652", "href": "http://linux.oracle.com/errata/ELSA-2019-4652.html", "title": "curl security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-07T06:56:34", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2019-5482", "CVE-2016-8621"], "description": "[7.29.0-59.0.1]\n- Fix TFTP small blocksize heap buffer overflow (https://curl.haxx.se/docs/CVE-2019-5482.html)[CVE-2019-5482][Orabug: 30568724]\n- Security Fixes [OraBug: 28939992]\n- CVE-2016-8615 cookie injection for other servers (https://curl.haxx.se/docs/CVE-2016-8615.html)\n- CVE-2016-8616 case insensitive password comparison (https://curl.haxx.se/docs/CVE-2016-8616.html)\n- CVE-2016-8617 OOB write via unchecked multiplication (https://curl.haxx.se/docs/CVE-2016-8617.html)\n- CVE-2016-8618 double-free in curl_maprintf (https://curl.haxx.se/docs/CVE-2016-8618.html)\n- CVE-2016-8619 double-free in krb5 code (https://curl.haxx.se/docs/CVE-2016-8619.html)\n- CVE-2016-8621 curl_getdate read out of bounds (https://curl.haxx.se/docs/CVE-2016-8621.html)\n- CVE-2016-8622 URL unescape heap overflow via integer truncation (https://curl.haxx.se/docs/CVE-2016-8622.html)\n- CVE-2016-8623 Use-after-free via shared cookies (https://curl.haxx.se/docs/CVE-2016-8623.html)\n- CVE-2016-8624 invalid URL parsing with # (https://curl.haxx.se/docs/CVE-2016-8624.html)\n- Drop 1001-tftp-Alloc-maximum-blksize-and-use-default-unless-OA.patch\n[7.29.0-59]\n- http: free protocol-specific struct in setup_connection callback (#1836773)\n[7.29.0-58]\n- fix heap buffer overflow in function tftp_receive_packet() (CVE-2019-5482)", "edition": 1, "modified": "2020-10-06T00:00:00", "published": "2020-10-06T00:00:00", "id": "ELSA-2020-3916", "href": "http://linux.oracle.com/errata/ELSA-2020-3916.html", "title": "curl security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-30T23:48:33", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2018-14618", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "description": "[7.29.0-51.0.1.el7_6.3]\n- Security Fixes [OraBug: 28939992]\n- CVE-2016-8615 cookie injection for other servers (https://curl.haxx.se/docs/CVE-2016-8615.html)\n- CVE-2016-8616 case insensitive password comparison (https://curl.haxx.se/docs/CVE-2016-8616.html)\n- CVE-2016-8617 OOB write via unchecked multiplication (https://curl.haxx.se/docs/CVE-2016-8617.html)\n- CVE-2016-8618 double-free in curl_maprintf (https://curl.haxx.se/docs/CVE-2016-8618.html)\n- CVE-2016-8619 double-free in krb5 code (https://curl.haxx.se/docs/CVE-2016-8619.html)\n- CVE-2016-8621 curl_getdate read out of bounds (https://curl.haxx.se/docs/CVE-2016-8621.html)\n- CVE-2016-8622 URL unescape heap overflow via integer truncation (https://curl.haxx.se/docs/CVE-2016-8622.html)\n- CVE-2016-8623 Use-after-free via shared cookies (https://curl.haxx.se/docs/CVE-2016-8623.html)\n- CVE-2016-8624 invalid URL parsing with # (https://curl.haxx.se/docs/CVE-2016-8624.html)\n[7.29.0-51.el7_6.3]\n- fix NTLM password overflow via integer overflow (CVE-2018-14618)\n[7.29.0-51.el7_6.2]\n- prevent curl --rate-limit from crashing on https URLs (#1683292)\n[7.29.0-51.el7_6.1]\n- prevent curl --rate-limit from hanging on file URLs (#1281969)", "edition": 2, "modified": "2019-07-30T00:00:00", "published": "2019-07-30T00:00:00", "id": "ELSA-2019-1880", "href": "http://linux.oracle.com/errata/ELSA-2019-1880.html", "title": "curl security and bug fix update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-09T02:39:22", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2019-5436", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2019-5482", "CVE-2016-8621"], "description": "[7.29.0-57.0.1]\n- Fix TFTP small blocksize heap buffer overflow (https://curl.haxx.se/docs/CVE-2019-5482.html)[CVE-2019-5482][Orabug: 30568724]\n- Security Fixes [OraBug: 28939992]\n- CVE-2016-8615 cookie injection for other servers (https://curl.haxx.se/docs/CVE-2016-8615.html)\n- CVE-2016-8616 case insensitive password comparison (https://curl.haxx.se/docs/CVE-2016-8616.html)\n- CVE-2016-8617 OOB write via unchecked multiplication (https://curl.haxx.se/docs/CVE-2016-8617.html)\n- CVE-2016-8618 double-free in curl_maprintf (https://curl.haxx.se/docs/CVE-2016-8618.html)\n- CVE-2016-8619 double-free in krb5 code (https://curl.haxx.se/docs/CVE-2016-8619.html)\n- CVE-2016-8621 curl_getdate read out of bounds (https://curl.haxx.se/docs/CVE-2016-8621.html)\n- CVE-2016-8622 URL unescape heap overflow via integer truncation (https://curl.haxx.se/docs/CVE-2016-8622.html)\n- CVE-2016-8623 Use-after-free via shared cookies (https://curl.haxx.se/docs/CVE-2016-8623.html)\n- CVE-2016-8624 invalid URL parsing with # (https://curl.haxx.se/docs/CVE-2016-8624.html)\n[7.29.0-57]\n- allow curl to POST from a char device (#1769307)\n[7.29.0-56]\n- fix auth failure with duplicated WWW-Authenticate header (#1754736)\n[7.29.0-55]\n- fix TFTP receive buffer overflow (CVE-2019-5436)", "edition": 1, "modified": "2020-04-06T00:00:00", "published": "2020-04-06T00:00:00", "id": "ELSA-2020-1020", "href": "http://linux.oracle.com/errata/ELSA-2020-1020.html", "title": "curl security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-14T08:38:02", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2018-14618", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621", "CVE-2018-16842"], "description": "[7.29.0-54.0.1]\n- Security Fixes [OraBug: 28939992]\n- CVE-2016-8615 cookie injection for other servers (https://curl.haxx.se/docs/CVE-2016-8615.html)\n- CVE-2016-8616 case insensitive password comparison (https://curl.haxx.se/docs/CVE-2016-8616.html)\n- CVE-2016-8617 OOB write via unchecked multiplication (https://curl.haxx.se/docs/CVE-2016-8617.html)\n- CVE-2016-8618 double-free in curl_maprintf (https://curl.haxx.se/docs/CVE-2016-8618.html)\n- CVE-2016-8619 double-free in krb5 code (https://curl.haxx.se/docs/CVE-2016-8619.html)\n- CVE-2016-8621 curl_getdate read out of bounds (https://curl.haxx.se/docs/CVE-2016-8621.html)\n- CVE-2016-8622 URL unescape heap overflow via integer truncation (https://curl.haxx.se/docs/CVE-2016-8622.html)\n- CVE-2016-8623 Use-after-free via shared cookies (https://curl.haxx.se/docs/CVE-2016-8623.html)\n- CVE-2016-8624 invalid URL parsing with # (https://curl.haxx.se/docs/CVE-2016-8624.html)\n[7.29.0-54]\n- make 'curl --tlsv1' backward compatible (#1672639)\n[7.29.0-53]\n- backport the --tls-max option of curl and TLS 1.3 ciphers (#1672639)\n[7.29.0-52]\n- prevent curl --rate-limit from hanging on file URLs (#1281969)\n- fix NTLM password overflow via integer overflow (CVE-2018-14618)\n- fix bad arithmetic when outputting warnings to stderr (CVE-2018-16842)\n- backport options to force TLS 1.3 in curl and libcurl (#1672639)\n- prevent curl --rate-limit from crashing on https URLs (#1683292)", "edition": 1, "modified": "2019-08-13T00:00:00", "published": "2019-08-13T00:00:00", "id": "ELSA-2019-2181", "href": "http://linux.oracle.com/errata/ELSA-2019-2181.html", "title": "curl security and bug fix update", "type": "oraclelinux", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-12T07:24:52", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2019-5482", "CVE-2016-8621", "CVE-2020-8177"], "description": "[7.29.0-59.0.1.1]\n- Fix TFTP small blocksize heap buffer overflow (https://curl.haxx.se/docs/CVE-2019-5482.html)[CVE-2019-5482][Orabug: 30568724]\n- Security Fixes [OraBug: 28939992]\n- CVE-2016-8615 cookie injection for other servers (https://curl.haxx.se/docs/CVE-2016-8615.html)\n- CVE-2016-8616 case insensitive password comparison (https://curl.haxx.se/docs/CVE-2016-8616.html)\n- CVE-2016-8617 OOB write via unchecked multiplication (https://curl.haxx.se/docs/CVE-2016-8617.html)\n- CVE-2016-8618 double-free in curl_maprintf (https://curl.haxx.se/docs/CVE-2016-8618.html)\n- CVE-2016-8619 double-free in krb5 code (https://curl.haxx.se/docs/CVE-2016-8619.html)\n- CVE-2016-8621 curl_getdate read out of bounds (https://curl.haxx.se/docs/CVE-2016-8621.html)\n- CVE-2016-8622 URL unescape heap overflow via integer truncation (https://curl.haxx.se/docs/CVE-2016-8622.html)\n- CVE-2016-8623 Use-after-free via shared cookies (https://curl.haxx.se/docs/CVE-2016-8623.html)\n- CVE-2016-8624 invalid URL parsing with # (https://curl.haxx.se/docs/CVE-2016-8624.html)\n- Drop 1001-tftp-Alloc-maximum-blksize-and-use-default-unless-OA.patch\n[7.29.0-59.el7_9.1]\n- avoid overwriting a local file with -J (CVE-2020-8177)", "edition": 2, "modified": "2020-11-12T00:00:00", "published": "2020-11-12T00:00:00", "id": "ELSA-2020-5002", "href": "http://linux.oracle.com/errata/ELSA-2020-5002.html", "title": "curl security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8617", "CVE-2016-8618", "CVE-2016-8619", "CVE-2016-8620", "CVE-2016-8621", "CVE-2016-8622", "CVE-2016-8623", "CVE-2016-8624"], "description": "curl is a command line tool for transferring data with URL syntax, supporti ng FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, I MAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a busload of other useful tricks. ", "modified": "2016-11-06T00:28:22", "published": "2016-11-06T00:28:22", "id": "FEDORA:C38F16060C6A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: curl-7.47.1-9.fc24", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8617", "CVE-2016-8618", "CVE-2016-8619", "CVE-2016-8620", "CVE-2016-8621", "CVE-2016-8622", "CVE-2016-8623", "CVE-2016-8624"], "description": "curl is a command line tool for transferring data with URL syntax, supporti ng FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, I MAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a busload of other useful tricks. ", "modified": "2016-11-19T21:51:02", "published": "2016-11-19T21:51:02", "id": "FEDORA:40D1C6051CE4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 25 Update: curl-7.51.0-1.fc25", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:34:45", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "description": "**Issue Overview:**\n\nThis build resolves the following issues:\n\n[CVE-2016-8615 __](<https://access.redhat.com/security/cve/CVE-2016-8615>): Cookie injection for other servers \n[CVE-2016-8616 __](<https://access.redhat.com/security/cve/CVE-2016-8616>): Case insensitive password comparison \n[CVE-2016-8617 __](<https://access.redhat.com/security/cve/CVE-2016-8617>): Out-of-bounds write via unchecked multiplication \n[CVE-2016-8618 __](<https://access.redhat.com/security/cve/CVE-2016-8618>): Double-free in curl_maprintf \n[CVE-2016-8619 __](<https://access.redhat.com/security/cve/CVE-2016-8619>): Double-free in krb5 code \n[CVE-2016-8620 __](<https://access.redhat.com/security/cve/CVE-2016-8620>): Glob parser write/read out of bounds \n[CVE-2016-8621 __](<https://access.redhat.com/security/cve/CVE-2016-8621>): curl_getdate out-of-bounds read \n[CVE-2016-8622 __](<https://access.redhat.com/security/cve/CVE-2016-8622>): URL unescape heap overflow via integer truncation \n[CVE-2016-8623 __](<https://access.redhat.com/security/cve/CVE-2016-8623>): Use-after-free via shared cookies \n[CVE-2016-8624 __](<https://access.redhat.com/security/cve/CVE-2016-8624>): Invalid URL parsing with '#' \n\n\n \n**Affected Packages:** \n\n\ncurl\n\n \n**Issue Correction:** \nRun _yum update curl_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n libcurl-7.47.1-9.66.amzn1.i686 \n libcurl-devel-7.47.1-9.66.amzn1.i686 \n curl-7.47.1-9.66.amzn1.i686 \n curl-debuginfo-7.47.1-9.66.amzn1.i686 \n \n src: \n curl-7.47.1-9.66.amzn1.src \n \n x86_64: \n curl-7.47.1-9.66.amzn1.x86_64 \n libcurl-devel-7.47.1-9.66.amzn1.x86_64 \n libcurl-7.47.1-9.66.amzn1.x86_64 \n curl-debuginfo-7.47.1-9.66.amzn1.x86_64 \n \n \n", "edition": 3, "modified": "2016-11-10T18:00:00", "published": "2016-11-10T18:00:00", "id": "ALAS-2016-766", "href": "https://alas.aws.amazon.com/ALAS-2016-766.html", "title": "Medium: curl", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-01-27T18:36:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-7167", "CVE-2016-8621"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171035", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171035", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2017-1035)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1035\");\n script_version(\"2020-01-23T14:23:06+0000\");\n script_cve_id(\"CVE-2016-7167\", \"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 14:23:06 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:45:04 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2017-1035)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1035\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1035\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'curl' package(s) announced via the EulerOS-SA-2017-1035 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.(CVE-2016-7167)\n\nA flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.(CVE-2016-8615)\n\nA flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.(CVE-2016-8616)\n\nThe base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.(CVE-2016-8617)\n\nThe libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.(CVE-2016-8618)\n\nThe function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.(CVE-2016-8619)\n\nThe `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.(CVE-2016-8621)\n\nThe URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.(CVE-2016-8622)\n\nA flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.(CVE-2016-8623)\n\ncurl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.(CVE-2016-8624)\");\n\n script_tag(name:\"affected\", value:\"'curl' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"curl\", rpm:\"curl~7.29.0~35.h11\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libcurl\", rpm:\"libcurl~7.29.0~35.h11\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libcurl-devel\", rpm:\"libcurl-devel~7.29.0~35.h11\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:39:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-7167", "CVE-2016-8621"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171036", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171036", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2017-1036)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1036\");\n script_version(\"2020-01-23T14:23:06+0000\");\n script_cve_id(\"CVE-2016-7167\", \"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 14:23:06 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:45:13 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2017-1036)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1036\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1036\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'curl' package(s) announced via the EulerOS-SA-2017-1036 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.(CVE-2016-7167)\n\nA flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.(CVE-2016-8615)\n\nA flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.(CVE-2016-8616)\n\nThe base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.(CVE-2016-8617)\n\nThe libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.(CVE-2016-8618)\n\nThe function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.(CVE-2016-8619)\n\nThe `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.(CVE-2016-8621)\n\nThe URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.(CVE-2016-8622)\n\nA flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.(CVE-2016-8623)\n\ncurl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.(CVE-2016-8624)\");\n\n script_tag(name:\"affected\", value:\"'curl' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"curl\", rpm:\"curl~7.29.0~35.h11\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libcurl\", rpm:\"libcurl~7.29.0~35.h11\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libcurl-devel\", rpm:\"libcurl-devel~7.29.0~35.h11\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "description": "Several vulnerabilities were discovered in cURL, an URL transfer library:\n\nCVE-2016-8615\nIt was discovered that a malicious HTTP server could inject new\ncookies for arbitrary domains into a cookie jar.\n\nCVE-2016-8616\nIt was discovered that when re-using a connection, curl was doing case\ninsensitive comparisons of user name and password with the existing\nconnections.\n\nCVE-2016-8617\nIt was discovered that on systems with 32-bit addresses in userspace\n(e.g. x86, ARM, x32), the output buffer size value calculated in the\nbase64 encode function would wrap around if input size was at least\n1GB of data, causing an undersized output buffer to be allocated.\n\nCVE-2016-8618\nIt was discovered that the curl_maprintf() function could be tricked\ninto doing a double-free due to an unsafe size_t multiplication on\nsystems using 32 bit size_t variables.\n\nCVE-2016-8619\nIt was discovered that the Kerberos implementation could be\ntricked into doing a double-free when reading one of the length fields\nfrom a socket.\n\nCVE-2016-8620It was discovered that the curl tool", "modified": "2019-03-18T00:00:00", "published": "2016-11-03T00:00:00", "id": "OPENVAS:1361412562310703705", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703705", "type": "openvas", "title": "Debian Security Advisory DSA 3705-1 (curl - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3705.nasl 14279 2019-03-18 14:48:34Z cfischer $\n# Auto-generated from advisory DSA 3705-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703705\");\n script_version(\"$Revision: 14279 $\");\n script_cve_id(\"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8620\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\");\n script_name(\"Debian Security Advisory DSA 3705-1 (curl - security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:48:34 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-03 00:00:00 +0100 (Thu, 03 Nov 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"http://www.debian.org/security/2016/dsa-3705.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n script_tag(name:\"affected\", value:\"curl on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (jessie), these problems have been fixed in\nversion 7.38.0-4+deb8u5.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 7.51.0-1.\n\nWe recommend that you upgrade your curl packages.\");\n script_tag(name:\"summary\", value:\"Several vulnerabilities were discovered in cURL, an URL transfer library:\n\nCVE-2016-8615\nIt was discovered that a malicious HTTP server could inject new\ncookies for arbitrary domains into a cookie jar.\n\nCVE-2016-8616\nIt was discovered that when re-using a connection, curl was doing case\ninsensitive comparisons of user name and password with the existing\nconnections.\n\nCVE-2016-8617\nIt was discovered that on systems with 32-bit addresses in userspace\n(e.g. x86, ARM, x32), the output buffer size value calculated in the\nbase64 encode function would wrap around if input size was at least\n1GB of data, causing an undersized output buffer to be allocated.\n\nCVE-2016-8618\nIt was discovered that the curl_maprintf() function could be tricked\ninto doing a double-free due to an unsafe size_t multiplication on\nsystems using 32 bit size_t variables.\n\nCVE-2016-8619\nIt was discovered that the Kerberos implementation could be\ntricked into doing a double-free when reading one of the length fields\nfrom a socket.\n\nCVE-2016-8620It was discovered that the curl tool's globbing\nfeature could write\nto invalid memory areas when parsing invalid ranges.\n\nCVE-2016-8621\nIt was discovered that the function curl_getdate could read out of\nbounds when parsing invalid date strings.\n\nCVE-2016-8622\nIt was discovered that the URL percent-encoding decode function would\nreturn a signed 32bit integer variable as length, even though it\nallocated a destination buffer larger than 2GB, which would lead to\na out-of-bounds write.\n\nCVE-2016-8623\nIt was discovered that libcurl could access an already-freed memory\narea due to concurrent access to shared cookies. This could lead to\na denial of service or disclosure of sensitive information.\n\nCVE-2016-8624\nIt was discovered that curl wouldn't parse the authority component of\na URL correctly when the host name part ends with a '#' character,\nand could be tricked into connecting to a different host.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"curl\", ver:\"7.38.0-4+deb8u5\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.38.0-4+deb8u5\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcurl3-dbg\", ver:\"7.38.0-4+deb8u5\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcurl3-gnutls\", ver:\"7.38.0-4+deb8u5\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcurl3-nss\", ver:\"7.38.0-4+deb8u5\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcurl4-doc\", ver:\"7.38.0-4+deb8u5\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcurl4-gnutls-dev\", ver:\"7.38.0-4+deb8u5\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcurl4-nss-dev\", ver:\"7.38.0-4+deb8u5\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libcurl4-openssl-dev\", ver:\"7.38.0-4+deb8u5\", rls:\"DEB8\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-24T12:54:47", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "description": "Several vulnerabilities were discovered in cURL, an URL transfer library:\n\nCVE-2016-8615 \nIt was discovered that a malicious HTTP server could inject new\ncookies for arbitrary domains into a cookie jar.\n\nCVE-2016-8616 \nIt was discovered that when re-using a connection, curl was doing case\ninsensitive comparisons of user name and password with the existing\nconnections.\n\nCVE-2016-8617 \nIt was discovered that on systems with 32-bit addresses in userspace\n(e.g. x86, ARM, x32), the output buffer size value calculated in the\nbase64 encode function would wrap around if input size was at least\n1GB of data, causing an undersized output buffer to be allocated.\n\nCVE-2016-8618 \nIt was discovered that the curl_maprintf() function could be tricked\ninto doing a double-free due to an unsafe size_t multiplication on\nsystems using 32 bit size_t variables.\n\nCVE-2016-8619 \nIt was discovered that the Kerberos implementation could be\ntricked into doing a double-free when reading one of the length fields\nfrom a socket.\n\nCVE-2016-8620It was discovered that the curl tool", "modified": "2017-07-07T00:00:00", "published": "2016-11-03T00:00:00", "id": "OPENVAS:703705", "href": "http://plugins.openvas.org/nasl.php?oid=703705", "type": "openvas", "title": "Debian Security Advisory DSA 3705-1 (curl - security update)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3705.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3705-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703705);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8620\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\");\n script_name(\"Debian Security Advisory DSA 3705-1 (curl - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-11-03 00:00:00 +0100 (Thu, 03 Nov 2016)\");\n script_tag(name: \"cvss_base\", value: \"10.0\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3705.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"curl on Debian Linux\");\n script_tag(name: \"insight\", value: \"curl is a command line tool for transferring data with URL syntax, supporting\nDICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3,\nPOP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie), these problems have been fixed in\nversion 7.38.0-4+deb8u5.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 7.51.0-1.\n\nWe recommend that you upgrade your curl packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered in cURL, an URL transfer library:\n\nCVE-2016-8615 \nIt was discovered that a malicious HTTP server could inject new\ncookies for arbitrary domains into a cookie jar.\n\nCVE-2016-8616 \nIt was discovered that when re-using a connection, curl was doing case\ninsensitive comparisons of user name and password with the existing\nconnections.\n\nCVE-2016-8617 \nIt was discovered that on systems with 32-bit addresses in userspace\n(e.g. x86, ARM, x32), the output buffer size value calculated in the\nbase64 encode function would wrap around if input size was at least\n1GB of data, causing an undersized output buffer to be allocated.\n\nCVE-2016-8618 \nIt was discovered that the curl_maprintf() function could be tricked\ninto doing a double-free due to an unsafe size_t multiplication on\nsystems using 32 bit size_t variables.\n\nCVE-2016-8619 \nIt was discovered that the Kerberos implementation could be\ntricked into doing a double-free when reading one of the length fields\nfrom a socket.\n\nCVE-2016-8620It was discovered that the curl tool's globbing \nfeature could write\nto invalid memory areas when parsing invalid ranges.\n\nCVE-2016-8621 \nIt was discovered that the function curl_getdate could read out of\nbounds when parsing invalid date strings.\n\nCVE-2016-8622 \nIt was discovered that the URL percent-encoding decode function would\nreturn a signed 32bit integer variable as length, even though it\nallocated a destination buffer larger than 2GB, which would lead to\na out-of-bounds write.\n\nCVE-2016-8623 \nIt was discovered that libcurl could access an already-freed memory\narea due to concurrent access to shared cookies. This could lead to\na denial of service or disclosure of sensitive information.\n\nCVE-2016-8624 \nIt was discovered that curl wouldn't parse the authority component of\na URL correctly when the host name part ends with a '#' character,\nand could be tricked into connecting to a different host.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"curl\", ver:\"7.38.0-4+deb8u5\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.38.0-4+deb8u5\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-dbg\", ver:\"7.38.0-4+deb8u5\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-gnutls\", ver:\"7.38.0-4+deb8u5\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-nss\", ver:\"7.38.0-4+deb8u5\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-doc\", ver:\"7.38.0-4+deb8u5\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-gnutls-dev\", ver:\"7.38.0-4+deb8u5\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-nss-dev\", ver:\"7.38.0-4+deb8u5\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-openssl-dev\", ver:\"7.38.0-4+deb8u5\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-29T18:35:31", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-07T00:00:00", "id": "OPENVAS:1361412562310872080", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872080", "type": "openvas", "title": "Fedora Update for curl FEDORA-2016-89769648a0", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for curl FEDORA-2016-89769648a0\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.872080\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-07 05:26:52 +0100 (Wed, 07 Dec 2016)\");\n script_cve_id(\"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8619\", \"CVE-2016-8618\", \"CVE-2016-8620\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for curl FEDORA-2016-89769648a0\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'curl'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"curl on Fedora 25\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-89769648a0\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JYTXIUQEYYWVLG2WJOE6FOVWRSPOQBM\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC25\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC25\")\n{\n\n if ((res = isrpmvuln(pkg:\"curl\", rpm:\"curl~7.51.0~1.fc25\", rls:\"FC25\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-8621"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-12-02T00:00:00", "id": "OPENVAS:1361412562310810155", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810155", "type": "openvas", "title": "Fedora Update for curl FEDORA-2016-e8e8cdb4ed", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for curl FEDORA-2016-e8e8cdb4ed\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810155\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-02 14:04:09 +0100 (Fri, 02 Dec 2016)\");\n script_cve_id(\"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\", \"CVE-2016-8619\",\n \"CVE-2016-8618\", \"CVE-2016-8620\", \"CVE-2016-8621\", \"CVE-2016-8622\",\n \"CVE-2016-8623\", \"CVE-2016-8624\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for curl FEDORA-2016-e8e8cdb4ed\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'curl'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"curl on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-e8e8cdb4ed\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S35RRQRUQKGWNDB4PRIQM7ZAHJXEDFCQ\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"curl\", rpm:\"curl~7.47.1~9.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T18:35:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-7167", "CVE-2016-8621"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2016-11-11T00:00:00", "id": "OPENVAS:1361412562310851432", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851432", "type": "openvas", "title": "openSUSE: Security Advisory for curl (openSUSE-SU-2016:2768-1)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851432\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-11-11 05:47:41 +0100 (Fri, 11 Nov 2016)\");\n script_cve_id(\"CVE-2016-7167\", \"CVE-2016-8615\", \"CVE-2016-8616\", \"CVE-2016-8617\",\n \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8620\", \"CVE-2016-8621\",\n \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for curl (openSUSE-SU-2016:2768-1)\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for curl fixes the following security issues:\n\n - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646)\n\n - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645)\n\n - CVE-2016-8622: URL unescape heap overflow via integer truncation\n (bsc#1005643)\n\n - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642)\n\n - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640)\n\n - CVE-2016-8619: double-free in krb5 code (bsc#1005638)\n\n - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637)\n\n - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635)\n\n - CVE-2016-8616: case insensitive password comparison (bsc#1005634)\n\n - CVE-2016-8615: cookie injection for other servers (bsc#1005633)\n\n - CVE-2016-7167: escape and unescape integer overflows (bsc#998760)\n\n This update was imported from the SUSE:SLE-12:Update update project.\");\n\n script_tag(name:\"affected\", value:\"curl on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:2768-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'curl'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"curl\", rpm:\"curl~7.37.0~16.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"curl-debuginfo\", rpm:\"curl-debuginfo~7.37.0~16.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"curl-debugsource\", rpm:\"curl-debugsource~7.37.0~16.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libcurl-devel\", rpm:\"libcurl-devel~7.37.0~16.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libcurl4\", rpm:\"libcurl4~7.37.0~16.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libcurl4-debuginfo\", rpm:\"libcurl4-debuginfo~7.37.0~16.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libcurl-devel-32bit\", rpm:\"libcurl-devel-32bit~7.37.0~16.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libcurl4-32bit\", rpm:\"libcurl4-32bit~7.37.0~16.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libcurl4-debuginfo-32bit\", rpm:\"libcurl4-debuginfo-32bit~7.37.0~16.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-7141", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-7167", "CVE-2016-8621"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2016-11-04T00:00:00", "id": "OPENVAS:1361412562310842943", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842943", "type": "openvas", "title": "Ubuntu Update for curl USN-3123-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for curl USN-3123-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842943\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-04 05:44:25 +0100 (Fri, 04 Nov 2016)\");\n script_cve_id(\"CVE-2016-7141\", \"CVE-2016-7167\", \"CVE-2016-8615\", \"CVE-2016-8616\",\n\t\t\"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8619\", \"CVE-2016-8620\",\n\t\t\"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for curl USN-3123-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'curl'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that curl incorrectly\n reused client certificates when built with NSS. A remote attacker could possibly\n use this issue to hijack the authentication of a TLS connection. (CVE-2016-7141)\n\nNguyen Vu Hoang discovered that curl incorrectly handled escaping certain\nstrings. A remote attacker could possibly use this issue to cause curl to\ncrash, resulting in a denial of service, or possibly execute arbitrary\ncode. (CVE-2016-7167)\n\nIt was discovered that curl incorrectly handled storing cookies. A remote\nattacker could possibly use this issue to inject cookies for arbitrary\ndomains in the cookie jar. (CVE-2016-8615)\n\nIt was discovered that curl incorrect handled case when comparing user\nnames and passwords. A remote attacker with knowledge of a case-insensitive\nversion of the correct password could possibly use this issue to cause\na connection to be reused. (CVE-2016-8616)\n\nIt was discovered that curl incorrect handled memory when encoding to\nbase64. A remote attacker could possibly use this issue to cause curl to\ncrash, resulting in a denial of service, or possibly execute arbitrary\ncode. (CVE-2016-8617)\n\nIt was discovered that curl incorrect handled memory when preparing\nformatted output. A remote attacker could possibly use this issue to cause\ncurl to crash, resulting in a denial of service, or possibly execute\narbitrary code. (CVE-2016-8618)\n\nIt was discovered that curl incorrect handled memory when performing\nKerberos authentication. A remote attacker could possibly use this issue to\ncause curl to crash, resulting in a denial of service, or possibly execute\narbitrary code. (CVE-2016-8619)\n\nLu&#7853 t Nguy&#7877 n discovered that curl incorrectly handled parsing globs. A\nremote attacker could possibly use this issue to cause curl to crash,\nresulting in a denial of service, or possibly execute arbitrary code. This\nissue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.\n(CVE-2016-8620)\n\nLu&#7853 t Nguy&#7877 n discovered that curl incorrectly handled converting dates. A\nremote attacker could possibly use this issue to cause curl to crash,\nresulting in a denial of service. (CVE-2016-8621)\n\nIt was discovered that curl incorrectly handled URL percent-encoding\ndecoding. A remote attacker could possibly use this issue to cause curl to\ncrash, resulting in a denial of service, or possibly execute arbitrary\ncode. (CVE-2016-8622)\n\nIt was discovered that curl incorrectly handled shared cookies. A remote\nserver could possibly obtain incorrect cookies or other sensitive\ninformation. (CVE-2016-8623)\n\nFernando Mu&#241 oz discovered that curl incorrect parsed certain URLs. A remote\nattacker could possibly use this issue to trick curl into connecting to a\ndifferent host. (CVE-2016-8624)\");\n script_tag(name:\"affected\", value:\"curl on Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS,\n Ubuntu 16.10,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3123-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3123-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|16\\.04 LTS|16\\.10)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3:i386\", ver:\"7.35.0-1ubuntu2.10\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3:amd64\", ver:\"7.35.0-1ubuntu2.10\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-gnutls:i386\", ver:\"7.35.0-1ubuntu2.10\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-gnutls:amd64\", ver:\"7.35.0-1ubuntu2.10\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-nss:i386\", ver:\"7.35.0-1ubuntu2.10\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-nss:amd64\", ver:\"7.35.0-1ubuntu2.10\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3:i386\", ver:\"7.22.0-3ubuntu4.17\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3:amd64\", ver:\"7.22.0-3ubuntu4.17\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-gnutls:i386\", ver:\"7.22.0-3ubuntu4.17\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-gnutls:amd64\", ver:\"7.22.0-3ubuntu4.17\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-nss:i386\", ver:\"7.22.0-3ubuntu4.17\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-nss:amd64\", ver:\"7.22.0-3ubuntu4.17\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3:i386\", ver:\"7.47.0-1ubuntu2.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3:amd64\", ver:\"7.47.0-1ubuntu2.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-gnutls:i386\", ver:\"7.47.0-1ubuntu2.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-gnutls:amd64\", ver:\"7.47.0-1ubuntu2.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-nss:i386\", ver:\"7.47.0-1ubuntu2.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-nss:amd64\", ver:\"7.47.0-1ubuntu2.2\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3:i386\", ver:\"7.50.1-1ubuntu1.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3:amd64\", ver:\"7.50.1-1ubuntu1.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-gnutls:i386\", ver:\"7.50.1-1ubuntu1.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-gnutls:amd64\", ver:\"7.50.1-1ubuntu1.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-nss:i386\", ver:\"7.50.1-1ubuntu1.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libcurl3-nss:amd64\", ver:\"7.50.1-1ubuntu1.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-0729", "CVE-2016-8617", "CVE-2016-8624", "CVE-2017-1227", "CVE-2016-8621"], "description": "This host is installed with IBM Tivoli\n Endpoint Manager and is prone to multiple vulnerabilities.", "modified": "2018-10-17T00:00:00", "published": "2017-08-03T00:00:00", "id": "OPENVAS:1361412562310811270", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811270", "type": "openvas", "title": "IBM Tivoli Endpoint Manager Multiple Vulnerabilities-Aug17", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ibm_tivoli_endpoint_manager_mult_vuln_aug17.nasl 11933 2018-10-17 07:09:44Z asteins $\n#\n# IBM Tivoli Endpoint Manager Multiple Vulnerabilities-Aug17\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ibm:tivoli_endpoint_manager\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811270\");\n script_version(\"$Revision: 11933 $\");\n script_cve_id(\"CVE-2017-1227\", \"CVE-2016-0729\", \"CVE-2016-8617\", \"CVE-2016-8624\",\n \"CVE-2016-8621\");\n script_bugtraq_id(100073, 83423, 94097, 94103, 94101);\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-17 09:09:44 +0200 (Wed, 17 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-03 13:58:40 +0530 (Thu, 03 Aug 2017)\");\n script_name(\"IBM Tivoli Endpoint Manager Multiple Vulnerabilities-Aug17\");\n\n script_tag(name:\"summary\", value:\"This host is installed with IBM Tivoli\n Endpoint Manager and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist as,\n\n - Under certain conditions the size or amount of memory resources that are\n requested or influenced by an actor is not restricted.\n\n - Multiple buffer overflows errors exists in internal/XMLReader.cpp,\n util/XMLURL.cpp and util/XMLUri.cpp in the XML Parser library in Apache Xerces-C.\n\n - A buffer overflow error exists in cURL/libcURL.\n\n - An invalid URL parsing in cURL/libcURL.\n\n - A read out of bounds error in 'curl_getdate'\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to consume more resources than reasonably intended, resulting in a\n crash or segmentation fault, bypass certain security restrictions and gain\n access to potentially sensitive information.\");\n\n script_tag(name:\"affected\", value:\"IBM Tivoli Endpoint Manager (BigFix Platform)\n 9.1 prior to patch 10, 9.2 prior to patch 10 and 9.5 prior to patch 5\");\n\n script_tag(name:\"solution\", value:\"Upgrade to IBM Tivoli Endpoint Manager\n (BigFix Platform) 9.1 patch 10 or 9.2 patch 10 or 9.5 patch 5 or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg22003222\");\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_ibm_endpoint_manager_web_detect.nasl\");\n script_mandatory_keys(\"ibm_endpoint_manager/installed\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!ibmPort = get_app_port(cpe: CPE)){\n exit(0);\n}\n\nif(!ibmVersion = get_app_version(cpe: CPE, port: ibmPort)){\n exit(0);\n}\n\n## Version 9.1 Patch 10 = 9.1.1314.0 , https://support.bigfix.com/bes/changes/fullchangelist-91.txt\nif (ibmVersion =~ \"^(9\\.1\\.)\" && version_is_less(version: ibmVersion, test_version: \"9.1.1314.0\")) {\n fix = \"9.1.1314.0\";\n}\n\n## Version 9.2 Patch 10 = 9.2.10.25 , https://support.bigfix.com/bes/changes/fullchangelist-92.txt\nelse if (ibmVersion =~ \"^(9\\.2\\.)\" && version_is_less(version: ibmVersion, test_version: \"9.2.10.25\")) {\n fix = \"9.2.10.25\";\n}\n\n## Version 9.5 Patch 5 = 9.5.5.193 , https://support.bigfix.com/bes/changes/fullchangelist-95.txt\nelse if (ibmVersion =~ \"^(9\\.5\\.)\" && version_is_less(version: ibmVersion, test_version: \"9.5.5.193\")) {\n fix = \"9.5.5.193\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version: ibmVersion, fixed_version: fix);\n security_message(port: ibmPort, data: report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-01-27T18:35:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-8623", "CVE-2018-1000120", "CVE-2016-8615", "CVE-2014-3613", "CVE-2014-8150", "CVE-2016-8618", "CVE-2018-1000121", "CVE-2016-7141", "CVE-2017-8817", "CVE-2016-8617", "CVE-2018-1000122", "CVE-2013-1944", "CVE-2016-8622", "CVE-2017-1000257", "CVE-2014-0015", "CVE-2016-8624", "CVE-2016-9586", "CVE-2016-5419", "CVE-2014-0138", "CVE-2016-8621"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220191549", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220191549", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2019-1549)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.1549\");\n script_version(\"2020-01-23T14:23:06+0000\");\n script_cve_id(\"CVE-2013-1944\", \"CVE-2014-0015\", \"CVE-2014-0138\", \"CVE-2014-3613\", \"CVE-2014-8150\", \"CVE-2016-5419\", \"CVE-2016-7141\", \"CVE-2016-8615\", \"CVE-2016-8617\", \"CVE-2016-8618\", \"CVE-2016-8621\", \"CVE-2016-8622\", \"CVE-2016-8623\", \"CVE-2016-8624\", \"CVE-2016-9586\", \"CVE-2017-1000257\", \"CVE-2017-8817\", \"CVE-2018-1000120\", \"CVE-2018-1000121\", \"CVE-2018-1000122\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 14:23:06 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:12:05 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2019-1549)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-3\\.0\\.1\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-1549\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1549\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'curl' package(s) announced via the EulerOS-SA-2019-1549 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A NULL pointer dereference flaw was found in the way libcurl checks values returned by the openldap ldap_get_attribute_ber() function. A malicious LDAP server could use this flaw to crash a libcurl client application via a specially crafted LDAP reply.(CVE-2018-1000121)\n\nIt was found that libcurl did not safely parse FTP URLs when using the CURLOPT_FTP_FILEMETHOD method. An attacker, able to provide a specially crafted FTP URL to an application using libcurl, could write a NULL byte at an arbitrary location, resulting in a crash, or an unspecified behavior.(CVE-2018-1000120)\n\nA flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.(CVE-2016-8623)\n\nThe URL percent-encoding decode function in libcurl before 7.51.0 is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unscape destination buffer larger than 2GB, it would return that new length in a signed 32 bit integer variable, thus the length would get either just truncated or both truncated and turned negative. That could then lead to libcurl writing outside of its heap based buffer.(CVE-2016-8622)\n\nIt was found that the libcurl library did not prevent TLS session resumption when the client certificate had changed. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.(CVE-2016-5419)\n\nA buffer overrun flaw was found in the IMAP handler of libcurl. By tricking an unsuspecting user into connecting to a malicious IMAP server, an attacker could exploit this flaw to potentially cause information disclosure or crash the application.(CVE-2017-1000257)\n\ncurl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.(CVE-2016-8624)\n\nThe `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.(CVE-2016-8621)\n\nA buffer over-read exists in curl 7.20.0 to and including curl 7.58.0 in the RTSP+RTP handling code that allows an attacker to cause a denial of service or information leakage(CVE-2018-1000122)\n\ncurl before version 7.52.0 is vulnerable to a buffer overflow when doing a large floating point output in libcurl's implementation of the printf() functions. If there are any application that accepts a format string from the outside without necessary input filtering, it could allow remote attacks.(CVE-2016-9586)\n\nThe FTP wildcard function in curl and libcurl before 7.57. ...\n\n Description truncated. Please see the references for more information.\");\n\n script_tag(name:\"affected\", value:\"'curl' package(s) on Huawei EulerOS Virtualization 3.0.1.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-3.0.1.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"curl\", rpm:\"curl~7.29.0~46.h10\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"libcurl\", rpm:\"libcurl~7.29.0~46.h10\", rls:\"EULEROSVIRT-3.0.1.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2016-11-10T17:28:02", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-7167", "CVE-2016-8621"], "edition": 1, "description": "This update for curl fixes the following security issues:\n\n - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646)\n - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645)\n - CVE-2016-8622: URL unescape heap overflow via integer truncation\n (bsc#1005643)\n - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642)\n - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640)\n - CVE-2016-8619: double-free in krb5 code (bsc#1005638)\n - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637)\n - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635)\n - CVE-2016-8616: case insensitive password comparison (bsc#1005634)\n - CVE-2016-8615: cookie injection for other servers (bsc#1005633)\n - CVE-2016-7167: escape and unescape integer overflows (bsc#998760)\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n", "modified": "2016-11-10T17:06:47", "published": "2016-11-10T17:06:47", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00020.html", "id": "OPENSUSE-SU-2016:2768-1", "type": "suse", "title": "Security update for curl (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-02T17:27:47", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-7167", "CVE-2016-8621"], "edition": 1, "description": "This update for curl fixes the following security issues:\n\n - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646)\n - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645)\n - CVE-2016-8622: URL unescape heap overflow via integer truncation\n (bsc#1005643)\n - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642)\n - CVE-2016-8620: glob parser write/read out of bounds (bsc#1005640)\n - CVE-2016-8619: double-free in krb5 code (bsc#1005638)\n - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637)\n - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635)\n - CVE-2016-8616: case insensitive password comparison (bsc#1005634)\n - CVE-2016-8615: cookie injection for other servers (bsc#1005633)\n - CVE-2016-7167: escape and unescape integer overflows (bsc#998760)\n\n", "modified": "2016-11-02T16:07:53", "published": "2016-11-02T16:07:53", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00006.html", "id": "SUSE-SU-2016:2699-1", "type": "suse", "title": "Security update for curl (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-03T17:27:48", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-7167", "CVE-2016-8621"], "edition": 1, "description": "This update for curl fixes the following security issues:\n\n - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646)\n - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645)\n - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642)\n - CVE-2016-8619: double-free in krb5 code (bsc#1005638)\n - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637)\n - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635)\n - CVE-2016-8616: case insensitive password comparison (bsc#1005634)\n - CVE-2016-8615: cookie injection for other servers (bsc#1005633)\n - CVE-2016-7167: escape and unescape integer overflows (bsc#998760)\n\n", "modified": "2016-11-03T15:08:42", "published": "2016-11-03T15:08:42", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00010.html", "id": "SUSE-SU-2016:2714-1", "type": "suse", "title": "Security update for curl (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-02T17:27:47", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-5420", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-7141", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-7167", "CVE-2016-8621"], "edition": 1, "description": "This update for curl fixes the following issues:\n\n - CVE-2016-8624: invalid URL parsing with '#' (bsc#1005646)\n - CVE-2016-8623: Use-after-free via shared cookies (bsc#1005645)\n - CVE-2016-8621: curl_getdate read out of bounds (bsc#1005642)\n - CVE-2016-8619: double-free in krb5 code (bsc#1005638)\n - CVE-2016-8618: double-free in curl_maprintf (bsc#1005637)\n - CVE-2016-8617: OOB write via unchecked multiplication (bsc#1005635)\n - CVE-2016-8616: case insensitive password comparison (bsc#1005634)\n - CVE-2016-8615: cookie injection for other servers (bsc#1005633)\n - CVE-2016-7167: escape and unescape integer overflows (bsc#998760)\n - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS not\n fixed in CVE-2016-5420 (bsc#997420)\n\n", "modified": "2016-11-02T16:09:54", "published": "2016-11-02T16:09:54", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00007.html", "id": "SUSE-SU-2016:2700-1", "type": "suse", "title": "Security update for curl (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2020-12-09T20:07:43", "description": "curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-08-01T06:29:00", "title": "CVE-2016-8625", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8625"], "modified": "2019-10-09T23:20:00", "cpe": [], "id": "CVE-2016-8625", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8625", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:07:43", "description": "The `curl_getdate` function in curl before version 7.51.0 is vulnerable to an out of bounds read if it receives an input with one digit short.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-07-31T22:29:00", "title": "CVE-2016-8621", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8621"], "modified": "2018-11-13T11:29:00", "cpe": [], "id": "CVE-2016-8621", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8621", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:07:43", "description": "A flaw was found in curl before version 7.51. If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-08-01T06:29:00", "title": "CVE-2016-8615", "type": "cve", "cwe": ["CWE-254"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8615"], "modified": "2018-11-13T11:29:00", "cpe": [], "id": "CVE-2016-8615", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8615", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:07:43", "description": "The libcurl API function called `curl_maprintf()` before version 7.51.0 can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-31T21:29:00", "title": "CVE-2016-8618", "type": "cve", "cwe": ["CWE-415"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8618"], "modified": "2018-11-13T11:29:00", "cpe": [], "id": "CVE-2016-8618", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8618", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T20:07:43", "description": "curl before version 7.51.0 doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use an URL parser that follows the RFC to check for allowed domains before using curl to request them.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-07-31T21:29:00", "title": "CVE-2016-8624", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8624"], "modified": "2020-09-14T21:15:00", "cpe": [], "id": "CVE-2016-8624", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8624", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:07:43", "description": "A flaw was found in curl before version 7.51.0. The way curl handles cookies permits other threads to trigger a use-after-free leading to information disclosure.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-08-01T06:29:00", "title": "CVE-2016-8623", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8623"], "modified": "2019-10-09T23:20:00", "cpe": [], "id": "CVE-2016-8623", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8623", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:07:43", "description": "The function `read_data()` in security.c in curl before version 7.51.0 is vulnerable to memory double free.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-01T06:29:00", "title": "CVE-2016-8619", "type": "cve", "cwe": ["CWE-415"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8619"], "modified": "2019-10-09T23:20:00", "cpe": [], "id": "CVE-2016-8619", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8619", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2020-12-09T20:07:43", "description": "A flaw was found in curl before version 7.51.0 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password.", "edition": 7, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.9, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-08-01T06:29:00", "title": "CVE-2016-8616", "type": "cve", "cwe": ["CWE-255"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8616"], "modified": "2019-10-09T23:20:00", "cpe": [], "id": "CVE-2016-8616", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8616", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:07:43", "description": "The base64 encode function in curl before version 7.51.0 is prone to a buffer being under allocated in 32bit systems if it receives at least 1Gb as input via `CURLOPT_USERNAME`.", "edition": 6, "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-31T22:29:00", "title": "CVE-2016-8617", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8617"], "modified": "2018-11-13T11:29:00", "cpe": [], "id": "CVE-2016-8617", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8617", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "ubuntu": [{"lastseen": "2020-07-02T11:45:11", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-7141", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-7167", "CVE-2016-8621"], "description": "It was discovered that curl incorrectly reused client certificates when \nbuilt with NSS. A remote attacker could possibly use this issue to hijack \nthe authentication of a TLS connection. (CVE-2016-7141)\n\nNguyen Vu Hoang discovered that curl incorrectly handled escaping certain \nstrings. A remote attacker could possibly use this issue to cause curl to \ncrash, resulting in a denial of service, or possibly execute arbitrary \ncode. (CVE-2016-7167)\n\nIt was discovered that curl incorrectly handled storing cookies. A remote \nattacker could possibly use this issue to inject cookies for arbitrary \ndomains in the cookie jar. (CVE-2016-8615)\n\nIt was discovered that curl incorrect handled case when comparing user \nnames and passwords. A remote attacker with knowledge of a case-insensitive \nversion of the correct password could possibly use this issue to cause \na connection to be reused. (CVE-2016-8616)\n\nIt was discovered that curl incorrect handled memory when encoding to \nbase64. A remote attacker could possibly use this issue to cause curl to \ncrash, resulting in a denial of service, or possibly execute arbitrary \ncode. (CVE-2016-8617)\n\nIt was discovered that curl incorrect handled memory when preparing \nformatted output. A remote attacker could possibly use this issue to cause \ncurl to crash, resulting in a denial of service, or possibly execute \narbitrary code. (CVE-2016-8618)\n\nIt was discovered that curl incorrect handled memory when performing \nKerberos authentication. A remote attacker could possibly use this issue to \ncause curl to crash, resulting in a denial of service, or possibly execute \narbitrary code. (CVE-2016-8619)\n\nLu\u1eadt Nguy\u1ec5n discovered that curl incorrectly handled parsing globs. A \nremote attacker could possibly use this issue to cause curl to crash, \nresulting in a denial of service, or possibly execute arbitrary code. This \nissue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. \n(CVE-2016-8620)\n\nLu\u1eadt Nguy\u1ec5n discovered that curl incorrectly handled converting dates. A \nremote attacker could possibly use this issue to cause curl to crash, \nresulting in a denial of service. (CVE-2016-8621)\n\nIt was discovered that curl incorrectly handled URL percent-encoding \ndecoding. A remote attacker could possibly use this issue to cause curl to \ncrash, resulting in a denial of service, or possibly execute arbitrary \ncode. (CVE-2016-8622)\n\nIt was discovered that curl incorrectly handled shared cookies. A remote \nserver could possibly obtain incorrect cookies or other sensitive \ninformation. (CVE-2016-8623)\n\nFernando Mu\u00f1oz discovered that curl incorrect parsed certain URLs. A remote \nattacker could possibly use this issue to trick curl into connecting to a \ndifferent host. (CVE-2016-8624)", "edition": 5, "modified": "2016-11-03T00:00:00", "published": "2016-11-03T00:00:00", "id": "USN-3123-1", "href": "https://ubuntu.com/security/notices/USN-3123-1", "title": "curl vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:33:00", "bulletinFamily": "software", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2016-8618", "CVE-2016-7141", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-7167", "CVE-2016-8621"], "description": "USN-3123-1: curl vulnerabilities\n\n# \n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04 LTS \n\n# Description\n\nIt was discovered that curl incorrectly reused client certificates when built with NSS. A remote attacker could possibly use this issue to hijack the authentication of a TLS connection. ([CVE-2016-7141](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7141>))\n\nNguyen Vu Hoang discovered that curl incorrectly handled escaping certain strings. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. ([CVE-2016-7167](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7167>))\n\nIt was discovered that curl incorrectly handled storing cookies. A remote attacker could possibly use this issue to inject cookies for arbitrary domains in the cookie jar. ([CVE-2016-8615](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8615>))\n\nIt was discovered that curl incorrect handled case when comparing usernames and passwords. A remote attacker with knowledge of a case-insensitive version of the correct password could possibly use this issue to cause a connection to be reused. ([CVE-2016-8616](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8616>))\n\nIt was discovered that curl incorrect handled memory when encoding tobase64. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. ([CVE-2016-8617](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8617>))\n\nIt was discovered that curl incorrect handled memory when preparing formatted output. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. ([CVE-2016-8618](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8618>))\n\nIt was discovered that curl incorrect handled memory when performing Kerberos authentication. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. ([CVE-2016-8619](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8619>))\n\nLu\u1eadt Nguy\u1ec5n discovered that curl incorrectly handled parsing globs. A remote attacker could possibly use this issue to cause curl to crash,resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10.([CVE-2016-8620](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8620>))\n\nLu\u1eadt Nguy\u1ec5n discovered that curl incorrectly handled converting dates. A remote attacker could possibly use this issue to cause curl to crash,resulting in a denial of service. ([CVE-2016-8621](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8621>))\n\nIt was discovered that curl incorrectly handled URL percent-encoding decoding. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. ([CVE-2016-8622](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8622>))\n\nIt was discovered that curl incorrectly handled shared cookies. A remote server could possibly obtain incorrect cookies or other sensitive information. ([CVE-2016-8623](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8623>))\n\nFernando Mu\u00f1oz discovered that curl incorrect parsed certain URLs. A remote attacker could possibly use this issue to trick curl into connecting to a different host. ([CVE-2016-8624](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8624>))\n\n# Affected Products and Versions\n\n_Severity is medium unless otherwise noted. \n_\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * All versions prior to 3151.5 \n * 3233.x versions prior to 3233.6 \n * 3263.x versions prior to 3263.12 \n * 3312.x versions prior to 3312.7 \n * All other versions \n * All versions of Cloud Foundry cflinuxfs2 prior to v.1.90.0 \n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry team recommends upgrading to the following BOSH stemcells: \n * Upgrade all lower versions of 3151.x to version 3151.5 \n * Upgrade all lower versions of 3233.x to version 3233.6 \n * Upgrade all lower versions of 3263.x to version 3263.12 \n * Upgrade all lower versions of 3312.x to version 3312.7 \n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.90.0 or later versions \n\n# Credit\n\nLu\u1eadt Nguy\u1ec5n, Fernando Mu\u00f1oz, Nguyen Vu Hoang \n\n# References\n\n * <https://www.ubuntu.com/usn/USN-3123-1>\n * [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7141 ](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7141>)\n * [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7167 ](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7167>)\n * [http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8615 ](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8615>)\n * <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8616>\n * <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8617>\n * <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8618>\n * <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8619>\n * <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8620>\n * <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8621>\n * <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8622>\n * <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8623>\n * <http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-8624>\n", "edition": 5, "modified": "2016-12-13T00:00:00", "published": "2016-12-13T00:00:00", "id": "CFOUNDRY:7D5FB6CA51F09BC6516D6E547D7F4E42", "href": "https://www.cloudfoundry.org/blog/usn-3123-1/", "title": "USN-3123-1: curl vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2020-04-06T22:40:46", "bulletinFamily": "software", "cvelist": ["CVE-2016-8621"], "description": "\nF5 Product Development has assigned ID 655374 (BIG-IP), ID 234567 (BIG-IQ), ID 655413 (Enterprise Manager), ID 655416 (BIG-IQ), ID 655802 (F5 iWorkflow), CPF-23662, CPF-23663, and CPF-23664 (Traffix), and ID 476510 (ARX) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H26899353 on the **Diagnostics** &gt; **Identified** &gt; **Medium** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Medium | **curl** \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n | 13.1.0 | Medium | **curl** \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 | 13.1.0 | Medium | **curl** \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Medium | **curl** \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Medium | **curl** \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Medium | **curl** \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.4 | 13.1.0 | Medium | **curl** \nBIG-IP Edge Gateway | 11.2.1 | None | Medium | **curl** \nBIG-IP GTM | 11.4.0 - 11.6.3 \n11.2.1 | None | Medium | **curl** \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Medium | **curl** \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 | 13.1.0 | Medium | **curl** \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Medium | **curl** \nBIG-IP WebAccelerator | 11.2.1 | None | Medium | **curl** \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.4 \n11.6.0 - 11.6.3 | 13.1.0 | Medium | **curl** \nARX | 6.2.0 - 6.4.0 | None | Low | **curl** \nEnterprise Manager | 3.1.1 | None | Medium | **curl** \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Medium | **curl** \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Medium | **curl** \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Medium | **curl** \nBIG-IQ ADC | 4.5.0 | None | Medium | **curl** \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | None | Medium | **curl** \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Medium | **curl** \nF5 iWorkflow | 2.0.0 - 2.1.0 | None | Medium | **curl** \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Low | **curl**\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nAdministrators should avoid using **curl **in custom monitors or restrict time stamp data manipulation to trusted sites only.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix and point release matrix](<https://support.f5.com/csp/article/K15113>)\n * [K12766: ARX hotfix matrix](<https://support.f5.com/csp/article/K12766>)\n", "edition": 1, "modified": "2019-03-15T18:25:00", "published": "2017-04-19T17:54:00", "id": "F5:K26899353", "href": "https://support.f5.com/csp/article/K26899353", "title": "libcurl vulnerability CVE-2016-8621 ", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-06T22:40:26", "bulletinFamily": "software", "cvelist": ["CVE-2016-8618"], "description": "\nF5 Product Development has assigned ID 655157 (BIG-IP), IDs CPF-23662, CPF-23663, and CPF-23664 (Traffix), and ID 476510 (ARX) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H10196624 on the **Diagnostics** &gt; **Identified** &gt; **Low** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Low | libcurl \nbig3d \nBIG-IP AAM | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 | 13.1.0 | Low | libcurl \nbig3d \nBIG-IP AFM | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 | 13.1.0 | Low | libcurl \nbig3d \nBIG-IP Analytics | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Low | libcurl \nbig3d \nBIG-IP APM | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Low | libcurl \nbig3d \nBIG-IP ASM | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Low | libcurl \nbig3d \nBIG-IP DNS | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 | 13.1.0 | Low | libcurl \nbig3d \nBIG-IP Edge Gateway | 11.2.1 | None | Low | libcurl \nbig3d \nBIG-IP GTM | 11.4.0 - 11.6.3 \n11.2.1 | None | Low | libcurl \nbig3d \nBIG-IP Link Controller | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Low | libcurl \nbig3d \nBIG-IP PEM | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 | 13.1.0 | Low | libcurl \nbig3d \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Low | libcurl \nbig3d \nBIG-IP WebAccelerator | 11.2.1 | None | Low | libcurl \nbig3d \nBIG-IP WebSafe | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 | 13.1.0 | Low | libcurl \nbig3d \nARX | 6.2.0 - 6.4.0 | None | Low | libcurl \nEnterprise Manager | None | 3.1.1 \n | Not vulnerable1 | None \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable1 | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.1.0 \n4.6.0 | Not vulnerable1 | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable1 | None \nF5 iWorkflow | None | 2.0.0 - 2.1.0 | Not vulnerable1 | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable1 | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Medium | libcurl \n \n1The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this issue, you can remove the **curl** command from custom monitors and scripts.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K12766: ARX hotfix matrix](<https://support.f5.com/csp/article/K12766>)\n", "edition": 1, "modified": "2019-02-21T18:54:00", "published": "2017-04-21T21:46:00", "id": "F5:K10196624", "href": "https://support.f5.com/csp/article/K10196624", "title": "libcurl vulnerability CVE-2016-8618 ", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-06T22:39:31", "bulletinFamily": "software", "cvelist": ["CVE-2016-8616"], "description": "\nF5 Product Development has assigned ID 654926 (BIG-IP), ID 655797 (F5 iWorkflow), ID 654973 (BIG-IQ), ID 654972 (Enterprise Manager), CPF-23662, CPF-23663, and CPF-23664 (Traffix), and ID 476510 (ARX) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H52828640 on the **Diagnostics** &gt; **Identified** &gt; **Medium** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Medium | libcurl \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | 13.1.0 | Medium | libcurl \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | 13.1.0 | Medium | libcurl \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Medium | libcurl \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Medium | libcurl \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Medium | libcurl \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.3 | 13.1.0 | Medium | libcurl \nBIG-IP Edge Gateway | 11.2.1 | None | Medium | libcurl \nBIG-IP GTM | 11.4.0 - 11.6.2 \n11.2.1 | None | Medium | libcurl \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Medium | libcurl \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | 13.1.0 | Medium | libcurl \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Medium | libcurl \nBIG-IP WebAccelerator | 11.2.1 | None | Medium | libcurl \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.2 | 13.1.0 | Medium | libcurl \nARX | 6.2.0 - 6.4.0 | None | Low | libcurl \nEnterprise Manager | 3.1.1 | None | Medium | libcurl \nBIG-IQ Cloud | 4.4.0 - 4.5.0 | None | Medium | libcurl \nBIG-IQ Device | 4.4.0 - 4.5.0 | None | Medium | libcurl \nBIG-IQ Security | 4.4.0 - 4.5.0 | None | Medium | libcurl \nBIG-IQ ADC | 4.5.0 | None | Medium | libcurl \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | None | Medium | libcurl \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Medium | libcurl \nF5 iWorkflow | 2.0.0 - 2.1.0 | None | Medium | libcurl \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable1 | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Low | libcurl \n \n1 The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nTo mitigate this vulnerability, you should only permit management access to F5 products over a secure network and limit shell access to trusted users. For more information about securing access to BIG-IP and Enterprise Manager systems, refer to [K13309: Restricting access to the Configuration utility by source IP address (11.x - 13.x)](<https://support.f5.com/csp/article/K13309>) and [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2018-09-13T20:14:00", "published": "2017-04-13T00:44:00", "id": "F5:K52828640", "href": "https://support.f5.com/csp/article/K52828640", "title": "libcurl vulnerability CVE-2016-8616", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-04-06T22:40:54", "bulletinFamily": "software", "cvelist": ["CVE-2016-8617"], "description": "\nF5 Product Development has assigned ID 654934 (BIG-IP), ID 655029 (Enterprise Manager), ID 655031 (BIG-IQ), ID 655798 (F5 iWorkflow), ID 476510 (ARX), and CPF-23662, CPF-23663, and CPF-23664 (Traffix) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H44503763 on the **Diagnostics** &gt; **Identified** &gt; **Low** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Low | libcurl \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | 13.1.0 | Low | libcurl \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | 13.1.0 | Low | libcurl \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Low | libcurl \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Low | libcurl \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Low | libcurl \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.3 | 13.1.0 | Low | libcurl \nBIG-IP Edge Gateway | 11.2.1 | None | Low | libcurl \nBIG-IP GTM | 11.4.0 - 11.6.2 \n11.2.1 | None | Low | libcurl \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Low | libcurl \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | 13.1.0 | Low | libcurl \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Low | libcurl \nBIG-IP WebAccelerator | 11.2.1 | None | Low | libcurl \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.2 | 13.1.0 | Low | libcurl \nARX | 6.2.0 - 6.4.0 | None | Low | libcurl \nEnterprise Manager | 3.1.1 | None | Low | libcurl \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | libcurl \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | libcurl \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | libcurl \nBIG-IQ ADC | 4.5.0 | None | Low | libcurl \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | None | Low | libcurl \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | libcurl \nF5 iWorkflow | 2.0.0 - 2.1.0 | None | Low | libcurl \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Medium | libcurl\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix and point release matrix](<https://support.f5.com/csp/article/K15113>)\n * [K12766: ARX hotfix matrix](<https://support.f5.com/csp/article/K12766>)\n", "edition": 1, "modified": "2018-09-13T20:19:00", "published": "2017-04-13T00:49:00", "id": "F5:K44503763", "href": "https://support.f5.com/csp/article/K44503763", "title": "libcurl vulnerability CVE-2016-8617", "type": "f5", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-06T22:39:20", "bulletinFamily": "software", "cvelist": ["CVE-2016-8625"], "description": "\nF5 Product Development has assigned ID 655459 (BIG-IP), ID 655683 (BIG-IQ), ID 655805 (F5 iWorkflow), ID 655678 (Enterprise Manager), ID 476510 (ARX), CPF-23662, CPF-23663, and CPF-23664 (Traffix SDC) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H17742627 on the **Diagnostics** &gt; **Identified** &gt; **Low** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | None | Low | cURL and libcurl \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | None | Low | cURL and libcurl \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | None | Low | cURL and libcurl \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | None | Low | cURL and libcurl \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | None | Low | cURL and libcurl \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | None | Low | cURL and libcurl \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.2 | None | Low | cURL and libcurl \nBIG-IP Edge Gateway | 11.2.1 | None | Low | cURL and libcurl \nBIG-IP GTM | 11.4.0 - 11.6.1 \n11.2.1 | None | Low | cURL and libcurl \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | None | Low | cURL and libcurl \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | None | Low | cURL and libcurl \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Low | cURL and libcurl \nBIG-IP WebAccelerator | 11.2.1 | None | Low | cURL and libcurl \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | None | Low | cURL and libcurl \nARX | 6.2.0 - 6.4.0 | None | Low | libcurl via the Management API (disabled by default) \nEnterprise Manager | 3.1.1 | None | Low | cURL and libcurl \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | cURL and libcurl \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | cURL and libcurl \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | cURL and libcurl \nBIG-IQ ADC | 4.5.0 | None | Low | cURL and libcurl \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | None | Low | cURL and libcurl \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | cURL and libcurl \nF5 iWorkflow | 2.0.0 - 2.1.0 | None | Low | cURL and libcurl \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable1 | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Medium | cURL and libcurl \n \n1 The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nBIG-IP, BIG-IQ, Enterprise Manager, and iWorkflow\n\nTo mitigate this vulnerability, if feasible, you should avoid using the local cURL utility in scripts and the BIG-IP system's Extended Application Verification (EAV) monitors on the vulnerable system. Additionally, you should only permit access to the system over a secure network and limit login access to trusted users. For more information about securing access to the BIG-IP or Enterprise Manager system, refer to [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\nARX\n\nTo mitigate this vulnerability, do not enable the API functionality.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n", "edition": 1, "modified": "2018-09-13T20:51:00", "published": "2017-04-14T22:37:00", "id": "F5:K17742627", "href": "https://support.f5.com/csp/article/K17742627", "title": "cURL and libcurl vulnerability CVE-2016-8625", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-04-06T22:40:05", "bulletinFamily": "software", "cvelist": ["CVE-2016-8615"], "description": "\nF5 Product Development has assigned ID 654927 (BIG-IP), ID 654948 (Enterprise Manager), IDs CPF-23662, CPF-23663, and CPF-23664 (Traffix), and ID 476510 (ARX) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H01006862 on the **Diagnostics** &gt; **Identified** &gt; **Medium** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.3 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP Edge Gateway | 11.2.1 | None | Medium | cURL and libcurl \nBIG-IP GTM | 11.4.0 - 11.6.2 \n11.2.1 | None | Medium | cURL and libcurl \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Medium | cURL and libcurl \nBIG-IP WebAccelerator | 11.2.1 | None | Medium | cURL and libcurl \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.2 | 13.1.0 | Medium | cURL and libcurl \nARX | 6.2.0 - 6.4.0 | None | Low | libcurl \nEnterprise Manager | 3.1.1 | None | Medium | cURL \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable1 | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable1 | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.3.0 \n4.6.0 | Not vulnerable1 | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable1 | None \nF5 iWorkflow | None | 2.0.0 - 2.3.0 | Not vulnerable1 | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable1 | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Medium | cURL \n \n1 The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nBIG-IP\n\nIf your custom health monitor references the libcurl library, or if you have any custom cURL scripts installed, F5 recommends that you modify the monitor to avoid any reference to the affected cURL library.\n\nARX\n\nTo mitigate this vulnerability, do not enable the API functionality.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "edition": 1, "modified": "2018-09-13T20:37:00", "published": "2017-04-12T17:01:00", "id": "F5:K01006862", "href": "https://support.f5.com/csp/article/K01006862", "title": "cURL and libcurl vulnerability CVE-2016-8615", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-04-06T22:40:08", "bulletinFamily": "software", "cvelist": ["CVE-2016-8624"], "description": "\nF5 Product Development has assigned ID 655421 (BIG-IP), ID 655675 (BIG-IQ), ID 655804 (F5 iWorkflow), ID 655673 (Enterprise Manager), ID 476510 (ARX), and CPF-23662, CPF-23663, and CPF-23664 (Traffix SDC) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H85235351 on the **Diagnostics** &gt; **Identified** &gt; **Low** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.1.0 | Low | cURL and libcurl \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.1.0 | Low | cURL and libcurl \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.1.0 | Low | cURL and libcurl \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.1.0 | Low | cURL and libcurl \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.1.0 | Low | cURL and libcurl \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.1.0 | Low | cURL and libcurl \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.2 | 13.1.0 | Low | cURL and libcurl \nBIG-IP Edge Gateway | 11.2.1 | None | Low | cURL and libcurl \nBIG-IP GTM | 11.4.0 - 11.6.1 \n11.2.1 | None | Low | cURL and libcurl \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 | 13.1.0 | Low | cURL and libcurl \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 | 13.1.0 | Low | cURL and libcurl \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Low | cURL and libcurl \nBIG-IP WebAccelerator | 11.2.1 | None | Low | cURL and libcurl \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | 13.1.0 | Low | cURL and libcurl \nARX | 6.2.0 - 6.4.0 | None | Low | libcurl via the Management API (disabled by default) \nEnterprise Manager | 3.1.1 | None | Low | cURL and libcurl \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | cURL and libcurl \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | cURL and libcurl \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | cURL and libcurl \nBIG-IQ ADC | 4.5.0 | None | Low | cURL and libcurl \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | None | Low | cURL and libcurl \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | cURL and libcurl \nF5 iWorkflow | 2.0.0 - 2.1.0 | None | Low | cURL and libcurl \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable1 | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Medium | cURL and libcurl \n \n1 The specified product contains the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nBIG-IP, BIG-IQ, Enterprise Manager, and iWorkflow\n\nTo mitigate this vulnerability, if feasible, you should avoid using the local **cURL** utility in scripts and the BIG-IP system's Extended Application Verification (EAV) monitors on the vulnerable system. Additionally, you should only permit access to the system over a secure network and limit login access to trusted users. For more information about securing access to the BIG-IP or Enterprise Manager system, refer to [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\nARX\n\nTo mitigate this vulnerability, avoid enabling the API functionality.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n", "edition": 1, "modified": "2018-09-13T20:10:00", "published": "2017-04-14T21:20:00", "id": "F5:K85235351", "href": "https://support.f5.com/csp/article/K85235351", "title": "cURL and libcurl vulnerability CVE-2016-8624", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-04-06T22:39:36", "bulletinFamily": "software", "cvelist": ["CVE-2016-8623"], "description": "\nF5 Product Development has assigned ID 655382 (BIG-IP), ID 655670 (BIG-IQ), ID 655803 (F5 iWorkflow), ID 655665 (Enterprise Manager), ID 476510 (ARX), and CPF-23662, CPF-23663, and CPF-23664 (Traffix SDC) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Low | cURL and libcurl \nBIG-IP AAM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | 13.1.0 | Low | cURL and libcurl \nBIG-IP AFM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | 13.1.0 | Low | cURL and libcurl \nBIG-IP Analytics | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Low | cURL and libcurl \nBIG-IP APM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Low | cURL and libcurl \nBIG-IP ASM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Low | cURL and libcurl \nBIG-IP DNS | 13.0.0 \n12.0.0 - 12.1.3 | 13.1.0 | Low | cURL and libcurl \nBIG-IP Edge Gateway | 11.2.1 | None | Low | cURL and libcurl \nBIG-IP GTM | 11.4.0 - 11.6.2 \n11.2.1 | None | Low | cURL and libcurl \nBIG-IP Link Controller | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 \n11.2.1 | 13.1.0 | Low | cURL and libcurl \nBIG-IP PEM | 13.0.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.2 | 13.1.0 | Low | cURL and libcurl \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Low | cURL and libcurl \nBIG-IP WebAccelerator | 11.2.1 | None | Low | cURL and libcurl \nBIG-IP WebSafe | 13.0.0 \n12.0.0 - 12.1.3 \n11.6.0 - 11.6.2 | 13.1.0 | Low | cURL and libcurl \nARX | 6.2.0 - 6.4.0 | None | Low | libcurl via the Management API (disabled by default) \nEnterprise Manager | 3.1.1 | None | Low | cURL and libcurl \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | cURL and libcurl \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | cURL and libcurl \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | cURL and libcurl \nBIG-IQ ADC | 4.5.0 | None | Low | cURL and libcurl \nBIG-IQ Centralized Management | 5.0.0 - 5.3.0 \n4.6.0 | None | Low | cURL and libcurl \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | cURL and libcurl \nF5 iWorkflow | 2.0.0 - 2.3.0 | None | Low | cURL and libcurl \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable1 | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Medium | cURL and libcurl \n \n1 The specified product contains the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nBIG-IP, BIG-IQ, Enterprise Manager, and iWorkflow\n\nTo mitigate this vulnerability, if feasible, you should avoid using the local** cURL **utility in scripts and the BIG-IP system's Extended Application Verification (EAV) monitors on the vulnerable system. Additionally, you should only permit access to the system over a secure network and limit login access to trusted users. For more information about securing access to the BIG-IP or Enterprise Manager system, refer to [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\nARX\n\nTo mitigate this vulnerability, avoid enabling the API functionality.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n", "edition": 1, "modified": "2018-09-13T20:16:00", "published": "2017-04-14T20:17:00", "id": "F5:K84940705", "href": "https://support.f5.com/csp/article/K84940705", "title": "cURL and libcurl vulnerability CVE-2016-8623", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-04-06T22:40:05", "bulletinFamily": "software", "cvelist": ["CVE-2016-8619"], "description": "\nF5 Product Development has assigned ID 655371 (BIG-IP), IDs CPF-23662, CPF-23663 and CPF-23664 (Traffix), and ID 476510 (ARX) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H46123931 on the **Diagnostics** &gt; **Identified** &gt; **Medium** page.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP AAM | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP AFM | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP Analytics | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP APM | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP ASM | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP DNS | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP Edge Gateway | 11.2.1 | None | Medium | cURL and libcurl \nBIG-IP GTM | 11.4.0 - 11.6.3 \n11.2.1 | None | Medium | cURL and libcurl \nBIG-IP Link Controller | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 \n11.2.1 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP PEM | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.4.0 - 11.6.3 | 13.1.0 | Medium | cURL and libcurl \nBIG-IP PSM | 11.4.0 - 11.4.1 | None | Medium | cURL and libcurl \nBIG-IP WebAccelerator | 11.2.1 | None | Medium | cURL and libcurl \nBIG-IP WebSafe | 13.0.0 - 13.0.1 \n12.0.0 - 12.1.4 \n11.6.0 - 11.6.3 | 13.1.0 | Medium | cURL and libcurl \nARX | 6.2.0 - 6.4.0 | None | Low | libcurl \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 5.0.0 - 5.1.0 \n4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nF5 iWorkflow | None | 2.0.0 - 2.1.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.2 | Not vulnerable1 | None \nTraffix SDC | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | None | Medium | cURL \n \n1The specified product contains the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nBIG-IP\n\nIf your custom health monitor references the libcurl library, or if you have any custom cURL scripts installed, F5 recommends that you modify the monitor to avoid any reference to the affected cURL library for Kerberos authentication.\n\nARX\n\nTo mitigate this vulnerability, do not enable the API functionality.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "edition": 1, "modified": "2019-02-21T19:00:00", "published": "2017-04-12T17:36:00", "id": "F5:K46123931", "href": "https://support.f5.com/csp/article/K46123931", "title": "cURL and libcurl vulnerability CVE-2016-8619", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "hackerone": [{"lastseen": "2018-10-13T12:24:52", "bulletinFamily": "bugbounty", "bounty": 500.0, "cvelist": ["CVE-2016-8624"], "description": "invalid URL parsing with '#'\n============================\n\nProject cURL Security Advisory, November 2, 2016 -\n[Permalink] https://curl.haxx.se/docs/adv_20161102J.html\n\nVULNERABILITY\n-------------\n\ncurl doesn't parse the authority component of the URL correctly when the host\nname part ends with a '#' character, and could instead be tricked into\nconnecting to a different host. This may have security implications if you for\nexample use a URL parser that follows the RFC to check for allowed domains\nbefore using curl to request them.\n\nPassing in `http://example.com#@evil.com/x.txt` would wrongly make curl send a\nrequest to evil.com while your browser would connect to example.com given the\nsame URL.\n\nThe problem exists for most protocol schemes.\n\nWe are not aware of any exploit of this flaw.\n\nINFO\n----\n\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the name\nCVE-2016-8624 to this issue.\n\nAFFECTED VERSIONS\n-----------------\n\nThis flaw exists in the following curl versions.\n\n- Affected versions: curl 7.1 to and including 7.50.3\n- Not affected versions: curl >= 7.51.0\n\nlibcurl is used by many applications, but not always advertised as such!\n\nTHE SOLUTION\n------------\n\nIn version 7.51.0, the parser function is fixed.\n\nA [patch for CVE-2016-8624](https://curl.haxx.se/CVE-2016-8624.patch) is\navailable.\n\nRECOMMENDATIONS\n---------------\n\nWe suggest you take one of the following actions immediately, in order of\npreference:\n\n A - Upgrade curl and libcurl to version 7.51.0\n\n B - Apply the patch to your version and rebuild\n\n C - Strip out the parts of the URLs containing '#' before passing them to curl\n\nTIME LINE\n---------\n\nIt was first reported to the curl project on October 10 by Fernando Mu\u00f1oz.\n\nWe contacted distros@openwall on October 19.\n\ncurl 7.51.0 was released on November 2 2016, coordinated with the publication\nof this advisory.\n\nCREDITS\n-------\n\nThanks to Fernando Mu\u00f1oz!", "modified": "2018-01-11T20:41:15", "published": "2016-11-05T21:31:51", "id": "H1:180434", "href": "https://hackerone.com/reports/180434", "type": "hackerone", "title": "Data Processing (IBB): cURL / libcURL - CVE-2016-8624 invalid URL parsing with '#'", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "myhack58": [{"lastseen": "2016-12-06T18:20:23", "bulletinFamily": "info", "cvelist": ["CVE-2016-8623", "CVE-2016-8619", "CVE-2016-8617", "CVE-2016-8622"], "edition": 1, "description": "! [](/Article/UploadPic/2016-12/201612625228430. png? www. myhack58. com) \nSecurity expert on cURL conducted an audit that found dozens of security vulnerabilities in the latest version has been fixed. \ncURL surely we are not unfamiliar, it is an open source command-line tool and library that supports a variety of protocols to transfer data. cURL is now the application is quite extensive, including network devices, printers, smartphones, and even some Internet of things devices such as cars. \nActive audit\nNot long ago, the cURL developers, Mozilla employees Daniel Stenberg please Mozilla Secure Open Source(SOS)project of the cURL for a security audit. \n\u201cI give the Mozilla Secure Open Source project conducted a Safety Audit. This project is funded by the Mozilla looking for third-party companies together to participate in, and ultimately pay for. Involved in the audit of the company's named Cure53 it.\u201d Very well in the blog writes.\u201c The reason I apply for the audit is because recently I feel there are some safety-related issues, I think we in the Security aspects may be lacking, so I want to let the experts check it.\u201d \nCure53 of 5 experts on the cURL for a period of 20 days of audit and found a total of 23 security issues. \nAudit results\nThese security issues, 9 is a security vulnerability. Expert combines 2 of which are security vulnerabilities--one of which is classified as\u201cplain bugs\u201d, because in a practical attack scenarios for use will be very difficult. In addition, the audit found. 4 high-risk vulnerabilities and 4 medium-risk vulnerabilities. \nHigh-risk vulnerability vulnerability number CVE-2016-8617, CVE-2016-8619, CVE-2016-8622 and CVE-2016-8623\u3002 These are remote execution vulnerability. \nFor example the following vulnerabilities: \nCRL-01-014 unescape_word()integer overflow resulting in a negative number of the array index of the high-risk\uff09 \ndict. c unescape_word()function there is the following code: \nstatic char *unescape_word(struct Curl_easy *data, const char *inputbuff) { char *newp; char *dictp; char *ptr; int len; char ch; int olen=0; newp = curl_easy_unescape(data, inputbuff, 0, &amp;len); if(! newp)return NULL; dictp = malloc(((size_t)len)*2 + 1); /* add one for terminating zero */ if(dictp) { /* According to RFC2229 section 2.2, these letters need to be escaped with \\\\[letter] */ for(ptr = newp; (ch = *ptr) != 0; ptr++) { if((ch 32) || (ch == 127) || (ch == '\\\") || (ch== '\\\"') || (ch== '\\\\\\')) { dictp[olen++] = '\\\\\\'; } dictp[olen++] = ch; } dictp[olen]=0; }free(newp); return dictp; } \nObviously, len than pow(2,31)is small, but the output can be expanded to twice the size, that is to say when the olen is the value of INT_MAX, The can be increased. This will lead to signed integer overflow. \nSince olen has been used as an array index, a negative array index will point to Unallocated memory. \nTo verify the vulnerability, you can at 6GB or more of free Memory 64-bit computers run the following code. This test will get a more than 1GB long the dict:// URL. \n#include #include #include #include #include int main(int argc, char *argv[]){ char *dicturl = malloc(23 + (1ULL if (! dicturl) errx(1, \"malloc\"); strcpy(dicturl, \"dict://localhost/MATCH:\"); memset(dicturl + 23, '\\\"', (1ULL dicturl[23 + (1ULL CURL *hnd = curl_easy_init(); curl_easy_setopt(hnd, CURLOPT_URL, dicturl); free(dicturl); curl_easy_setopt(hnd, CURLOPT_NOPROGRESS, 1L); CURLcode ret = curl_easy_perform(hnd); curl_easy_cleanup(hnd); return (int)ret;} \nRunning will cause the following crash information: \n$ gdb ./ negative_dict_url[...](gdb) runStarting program: [...][...]Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7b6975b in unescape_word (data=0x63a0b0, inputbuff=0x7fffb0fca017 '\\\"' ...) at dict. c:116116 dictp[olen++] = '\\\\\\';(gdb) x/1i $pc=&gt; 0x7ffff7b6975b word+170&gt;: mov(gdb) print/x $rax$1 = 0x7ffdf0dba010(gdb) print/x dictp$2 = 0x7ffe70dba010(gdb) print olen$3 = -2147483647 \nBut in fact, the audit report mentioned that the cURL library the overall security and robustness are very good. \nAlso please do not worry, the new version of cURL has been on the line, 7.51. 0 version fixes a total of 11 vulnerabilities, 7 of which are by Cure53 the audit team found, the other vulnerability is by Lu\u1eadt Nguy\u1ec5n, Christian Heimes and Fernando Mu\u00f1oz. \nStenberg pointed out that cURL is a very commonly used software, and therefore, the audit for the user is of great significance. \n\u201cSince the curl is the world's most commonly used software, and therefore the curl if there is a problem may be of a variety of tools, equipment, applications resulting in a significant impact. We don't want that kind of thing.\u201d \n\n", "modified": "2016-12-06T00:00:00", "published": "2016-12-06T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/81821.htm", "id": "MYHACK58:62201681821", "type": "myhack58", "title": "Note, the cURL of the vulnerability nor less-vulnerability warning-the black bar safety net", "cvss": {"score": 0.0, "vector": "NONE"}}], "gentoo": [{"lastseen": "2017-01-19T20:59:34", "bulletinFamily": "unix", "cvelist": ["CVE-2016-8620", "CVE-2016-8623", "CVE-2016-5420", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8619", "CVE-2014-8150", "CVE-2016-8625", "CVE-2016-8618", "CVE-2016-7141", "CVE-2016-9594", "CVE-2016-0755", "CVE-2016-8617", "CVE-2016-8622", "CVE-2016-8624", "CVE-2016-3739", "CVE-2016-5421", "CVE-2016-9586", "CVE-2016-5419", "CVE-2014-8151", "CVE-2016-7167", "CVE-2016-8621"], "edition": 1, "description": "### Background\n\ncURL is a tool and libcurl is a library for transferring data with URL syntax. \n\n### Description\n\nMultiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers and bug reports referenced for details. \n\n### Impact\n\nRemote attackers could conduct a Man-in-the-Middle attack to obtain sensitive information, cause a Denial of Service condition, or execute arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll cURL users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/curl-7.52.1\"", "modified": "2017-01-19T00:00:00", "published": "2017-01-19T00:00:00", "href": "https://security.gentoo.org/glsa/201701-47", "id": "GLSA-201701-47", "title": "cURL: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2019-12-11T13:30:43", "bulletinFamily": "unix", "cvelist": ["CVE-2016-0718", "CVE-2016-4483", "CVE-2016-4975", "CVE-2016-5131", "CVE-2016-7167", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8617", "CVE-2016-8618", "CVE-2016-8619", "CVE-2016-8621", "CVE-2016-8622", "CVE-2016-8623", "CVE-2016-8624", "CVE-2016-8625", "CVE-2016-9318", "CVE-2016-9596", "CVE-2016-9597", "CVE-2016-9598", "CVE-2017-1000254", "CVE-2017-1000257", "CVE-2017-18258", "CVE-2017-6004", "CVE-2017-7186", "CVE-2017-7244", "CVE-2017-7245", "CVE-2017-7246", "CVE-2017-9047", "CVE-2017-9048", "CVE-2017-9049", "CVE-2017-9050", "CVE-2018-0500"], "description": "This release adds the new Apache HTTP Server 2.4.29 packages that are part\nof the JBoss Core Services offering.\n\nThis release serves as a replacement for Red Hat JBoss Core Services\nApache HTTP Server 2.4.23, and includes bug fixes and enhancements. Refer\nto the Release Notes for information on the most significant bug fixes,\nenhancements and component upgrades included in this release.\n\nSecurity Fix(es):\n\n* expat: Out-of-bounds heap read on crafted input causing crash (CVE-2016-0718)\n* curl: escape and unescape integer overflows (CVE-2016-7167)\n* curl: Cookie injection for other servers (CVE-2016-8615)\n* curl: Case insensitive password comparison (CVE-2016-8616)\n* curl: Out-of-bounds write via unchecked multiplication (CVE-2016-8617)\n* curl: Double-free in curl_maprintf (CVE-2016-8618)\n* curl: Double-free in krb5 code (CVE-2016-8619)\n* curl: curl_getdate out-of-bounds read (CVE-2016-8621)\n* curl: URL unescape heap overflow via integer truncation (CVE-2016-8622)\n* curl: Use-after-free via shared cookies (CVE-2016-8623)\n* curl: Invalid URL parsing with '#' (CVE-2016-8624)\n* curl: IDNA 2003 makes curl use wrong host (CVE-2016-8625)\n* libxml2: out-of-bounds read (unfixed CVE-2016-4483 in JBCS) (CVE-2016-9598)\n* pcre: Out-of-bounds read in compile_bracket_matchingpath function (8.41/3) (CVE-2017-6004)\n* pcre: Invalid Unicode property lookup (8.41/7, 10.24/2) (CVE-2017-7186)\n* pcre: invalid memory read in_pcre32_xclass (pcre_xclass.c) (CVE-2017-7244)\n* pcre: stack-based buffer overflow write in pcre32_copy_substring (CVE-2017-7245)\n* pcre: stack-based buffer overflow write in pcre32_copy_substring (CVE-2017-7246)\n* curl: FTP PWD response parser out of bounds read (CVE-2017-1000254)\n* curl: IMAP FETCH response out of bounds read (CVE-2017-1000257)\n* curl: Heap-based buffer overflow in Curl_smtp_escape_eob() when uploading data over SMTP (CVE-2018-0500)\n\nDetails around this issue, including information about the CVE, severity of\nthe issue, and the CVSS score can be found on the CVE page listed in the\nReference section below.\n\nThe following packages have been upgraded to a newer upstream version:\n* Curl (7.57.0)\n* OpenSSL (1.0.2n)\n* Expat (2.2.5)\n* PCRE (8.41)\n* libxml2 (2.9.7)\n\nAcknowledgements:\n\nCVE-2017-1000254: Red Hat would like to thank Daniel Stenberg for reporting this issue.\nUpstream acknowledges Max Dymond as the original reporter.\nCVE-2017-1000257: Red Hat would like to thank the Curl project for reporting this issue. Upstream acknowledges Brian Carpenter, (the OSS-Fuzz project) as the original reporter.\nCVE-2018-0500: Red Hat would like to thank the Curl project for reporting this issue.", "modified": "2018-09-05T09:26:14", "published": "2018-08-16T20:05:21", "id": "RHSA-2018:2486", "href": "https://access.redhat.com/errata/RHSA-2018:2486", "type": "redhat", "title": "(RHSA-2018:2486) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:46:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5419", "CVE-2016-5420", "CVE-2016-5421", "CVE-2016-7141", "CVE-2016-7167", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-8617", "CVE-2016-8618", "CVE-2016-8619", "CVE-2016-8620", "CVE-2016-8621", "CVE-2016-8622", "CVE-2016-8623", "CVE-2016-8624", "CVE-2016-8625", "CVE-2016-9586", "CVE-2017-1000100", "CVE-2017-1000101", "CVE-2017-1000254", "CVE-2017-1000257", "CVE-2017-15710", "CVE-2017-15715", "CVE-2017-7407", "CVE-2017-8816", "CVE-2017-8817", "CVE-2018-1000007", "CVE-2018-1000120", "CVE-2018-1000121", "CVE-2018-1000122", "CVE-2018-1000301", "CVE-2018-11763", "CVE-2018-1283", "CVE-2018-1301", "CVE-2018-1303", "CVE-2018-1312", "CVE-2018-1333", "CVE-2018-14618"], "description": "The Apache HTTP Server is a powerful, efficient, and extensible web server. The httpd24 packages provide a recent stable release of version 2.4 of the Apache HTTP Server, along with the mod_auth_kerb module.\n\nThe following packages have been upgraded to a later upstream version: httpd24-httpd (2.4.34), httpd24-curl (7.61.1). (BZ#1590833, BZ#1648928)\n\nSecurity Fix(es):\n\n* httpd: Improper handling of headers in mod_session can allow a remote user to modify session data for CGI applications (CVE-2018-1283)\n\n* httpd: Out of bounds read in mod_cache_socache can allow a remote attacker to cause DoS (CVE-2018-1303)\n\n* httpd: mod_http2: Too much time allocated to workers, possibly leading to DoS (CVE-2018-1333)\n\n* httpd: DoS for HTTP/2 connections by continuous SETTINGS frames (CVE-2018-11763)\n\n* httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)\n\n* httpd: <FilesMatch> bypass with a trailing newline in the file name (CVE-2017-15715)\n\n* httpd: Out of bounds access after failure in reading the HTTP request (CVE-2018-1301)\n\n* httpd: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)\n\n* curl: Multiple security issues were fixed in httpd24-curl (CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7141, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625, CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000101, CVE-2017-1000254, CVE-2017-1000257, CVE-2017-7407, CVE-2017-8816, CVE-2017-8817, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122, CVE-2018-1000301, CVE-2018-14618)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank the Curl project for reporting CVE-2017-8816, CVE-2017-8817, CVE-2017-1000254, CVE-2017-1000257, CVE-2018-1000007, CVE-2018-1000120, CVE-2018-1000122, CVE-2018-1000301, CVE-2016-9586, CVE-2017-1000100, CVE-2017-1000101, CVE-2018-14618, and CVE-2018-1000121. Upstream acknowledges Alex Nichols as the original reporter of CVE-2017-8816; the OSS-Fuzz project as the original reporter of CVE-2017-8817 and CVE-2018-1000301; Max Dymond as the original reporter of CVE-2017-1000254 and CVE-2018-1000122; Brian Carpenter and the OSS-Fuzz project as the original reporters of CVE-2017-1000257; Craig de Stigter as the original reporter of CVE-2018-1000007; Duy Phan Thanh as the original reporter of CVE-2018-1000120; Even Rouault as the original reporter of CVE-2017-1000100; Brian Carpenter as the original reporter of CVE-2017-1000101; Zhaoyang Wu as the original reporter of CVE-2018-14618; and Dario Weisser as the original reporter of CVE-2018-1000121.\n\nBug Fix(es):\n\n* Previously, the Apache HTTP Server from the httpd24 Software Collection was unable to handle situations when static content was repeatedly requested in a browser by refreshing the page. As a consequence, HTTP/2 connections timed out and httpd became unresponsive. This bug has been fixed, and HTTP/2 connections now work as expected in the described scenario. (BZ#1518737)\n\nEnhancement(s):\n\n* This update adds the mod_md module to the httpd24 Software Collection. This module enables managing domains across virtual hosts and certificate provisioning using the Automatic Certificate Management Environment (ACME) protocol. The mod_md module is available only for Red Hat Enterprise Linux 7. (BZ#1640722)\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Software Collections 3.2 Release Notes linked from the References section.", "modified": "2018-11-13T13:04:35", "published": "2018-11-13T13:00:33", "id": "RHSA-2018:3558", "href": "https://access.redhat.com/errata/RHSA-2018:3558", "type": "redhat", "title": "(RHSA-2018:3558) Moderate: httpd24 security, bug fix, and enhancement update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "apple": [{"lastseen": "2020-12-24T20:42:29", "bulletinFamily": "software", "cvelist": ["CVE-2016-7628", "CVE-2016-8620", "CVE-2016-8623", "CVE-2016-5420", "CVE-2016-7714", "CVE-2016-7414", "CVE-2016-7647", "CVE-2016-4693", "CVE-2016-7594", "CVE-2016-8615", "CVE-2016-8616", "CVE-2016-7606", "CVE-2016-7667", "CVE-2016-8619", "CVE-2016-7620", "CVE-2016-7603", "CVE-2016-7655", "CVE-2016-7761", "CVE-2016-7637", "CVE-2016-7616", "CVE-2016-8625", "CVE-2016-8618", "CVE-2016-7622", "CVE-2016-4691", "CVE-2016-7636", "CVE-2016-7661", "CVE-2016-7141", "CVE-2016-7615", "CVE-2016-7629", "CVE-2016-7644", "CVE-2016-7643", "CVE-2016-8617", "CVE-2016-7624", "CVE-2016-1777", "CVE-2016-7413", "CVE-2016-7662", "CVE-2016-7617", "CVE-2016-7663", "CVE-2016-6304", "CVE-2016-7618", "CVE-2016-7619", "CVE-2016-7609", "CVE-2016-7627", "CVE-2016-8622", "CVE-2016-7416", "CVE-2016-7657", "CVE-2016-7602", "CVE-2016-7633", "CVE-2016-7625", "CVE-2016-7604", "CVE-2016-7660", "CVE-2016-7411", "CVE-2016-8624", "CVE-2016-7417", "CVE-2016-7742", "CVE-2016-7621", "CVE-2016-6303", "CVE-2016-7600", "CVE-2016-7418", "CVE-2016-5421", "CVE-2016-7596", "CVE-2016-7607", "CVE-2016-7605", "CVE-2016-7591", "CVE-2016-7595", "CVE-2016-7588", "CVE-2016-5419", "CVE-2016-7167", "CVE-2016-7612", "CVE-2016-8621", "CVE-2016-7608", "CVE-2016-7659", "CVE-2016-7412", "CVE-2016-7658"], "description": "## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page. You can encrypt communications with Apple using the [Apple Product Security PGP Key](<https://support.apple.com/kb/HT201601>).\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\n\n\n## macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite\n\nReleased December 13, 2016\n\n**apache_mod_php**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A remote attacker may cause an unexpected application termination or arbitrary code execution\n\nDescription: Multiple issues existed in PHP before 5.6.26. These were addressed by updating PHP to version 5.6.26.\n\nCVE-2016-7411\n\nCVE-2016-7412\n\nCVE-2016-7413\n\nCVE-2016-7414\n\nCVE-2016-7416\n\nCVE-2016-7417\n\nCVE-2016-7418\n\n**AppleGraphicsPowerManagement**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local user may be able to cause a system denial of service\n\nDescription: A null pointer dereference was addressed through improved input validation.\n\nCVE-2016-7609: daybreaker@Minionz working with Trend Micro's Zero Day Initiative\n\n**Assets**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local attacker may modify downloaded mobile assets\n\nDescription: A permissions issue existed in mobile assets. This issue was addressed through improved access restrictions.\n\nCVE-2016-7628: Marcel Bresink of Marcel Bresink Software-Systeme\n\nEntry updated December 15, 2016\n\n**Audio**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: Processing a maliciously crafted file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed through improved input validation.\n\nCVE-2016-7658: Haohao Kong of Keen Lab (@keen_lab) of Tencent\n\nCVE-2016-7659: Haohao Kong of Keen Lab (@keen_lab) of Tencent\n\n**Bluetooth**\n\nAvailable for: macOS Sierra 10.12.1, OS X El Capitan v10.11.6, and OS X Yosemite v10.10.5\n\nImpact: An application may be able to execute arbitrary code with kernel privileges \n\nDescription: A memory corruption issue was addressed through improved memory handling.\n\nCVE-2016-7596: Pekka Oikarainen, Matias Karhumaa and Marko Laakso of Synopsys Software Integrity Group\n\nEntry updated December 14, 2016\n\n**Bluetooth**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An application may be able to cause a denial of service\n\nDescription: A null pointer dereference was addressed through improved input validation.\n\nCVE-2016-7605: daybreaker of Minionz\n\n**Bluetooth**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An application may be able to execute arbitrary code with system privileges\n\nDescription: A type confusion issue was addressed through improved memory handling.\n\nCVE-2016-7617: Radu Motspan working with Trend Micro's Zero Day Initiative, Ian Beer of Google Project Zero\n\n**CoreCapture**\n\nAvailable for: macOS Sierra 10.12.1 and OS X El Capitan v10.11.6\n\nImpact: A local user may be able to cause a system denial of service\n\nDescription: A null pointer dereference was addressed through improved state management.\n\nCVE-2016-7604: daybreaker of Minionz\n\nEntry updated December 14, 2016\n\n**CoreFoundation**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: Processing malicious strings may lead to an unexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue existed in the processing of strings. This issue was addressed through improved bounds checking.\n\nCVE-2016-7663: an anonymous researcher\n\n**CoreGraphics**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: Processing a maliciously crafted font file may lead to unexpected application termination\n\nDescription: A null pointer dereference was addressed through improved input validation.\n\nCVE-2016-7627: TRAPMINE Inc. &amp; Meysam Firouzi @R00tkitSMM\n\n**CoreMedia External Displays**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local application may be able to execute arbitrary code in the context of the mediaserver daemon\n\nDescription: A type confusion issue was addressed through improved memory handling.\n\nCVE-2016-7655: Keen Lab working with Trend Micro\u2019s Zero Day Initiative\n\n**CoreMedia Playback**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: Processing a maliciously crafted .mp4 file may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed through improved memory handling.\n\nCVE-2016-7588: dragonltx of Huawei 2012 Laboratories\n\n**CoreStorage**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local user may be able to cause a system denial of service\n\nDescription: A null pointer dereference was addressed through improved input validation.\n\nCVE-2016-7603: daybreaker@Minionz working with Trend Micro's Zero Day Initiative\n\n**CoreText**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking.\n\nCVE-2016-7595: riusksk(\u6cc9\u54e5) of Tencent Security Platform Department\n\n**CoreText**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: Processing a maliciously crafted string may lead to a denial of service\n\nDescription: An issue when rendering overlapping ranges was addressed through improved validation.\n\nCVE-2016-7667: Nasser Al-Hadhrami (@fast_hack), Saif Al-Hinai (welcom_there) of Digital Unit (dgunit.com)\n\nEntry added December 15, 2016\n\n**curl**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An attacker in a privileged network position may be able to leak sensitive user information\n\nDescription: Multiple issues existed in curl. These issues were addressed by updating to curl version 7.51.0.\n\nCVE-2016-5419\n\nCVE-2016-5420\n\nCVE-2016-5421\n\nCVE-2016-7141\n\nCVE-2016-7167\n\nCVE-2016-8615\n\nCVE-2016-8616\n\nCVE-2016-8617\n\nCVE-2016-8618\n\nCVE-2016-8619\n\nCVE-2016-8620\n\nCVE-2016-8621\n\nCVE-2016-8622\n\nCVE-2016-8623\n\nCVE-2016-8624\n\nCVE-2016-8625\n\n**Directory Services**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local user may be able to gain root privileges\n\nDescription: A use after free issue was addressed through improved memory management.\n\nCVE-2016-7633: Ian Beer of Google Project Zero\n\n**Disk Images**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges\n\nDescription: A memory corruption issue was addressed through improved input validation.\n\nCVE-2016-7616: daybreaker@Minionz working with Trend Micro's Zero Day Initiative\n\n**FontParser**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: Processing a maliciously crafted font file may lead to arbitrary code execution\n\nDescription: Multiple memory corruption issues existed in the handling of font files. These issues were addressed through improved bounds checking.\n\nCVE-2016-4691: riusksk(\u6cc9\u54e5) of Tencent Security Platform Department\n\n**Foundation**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: Opening a maliciously crafted .gcx file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue was addressed through improved input validation.\n\nCVE-2016-7618: riusksk(\u6cc9\u54e5) of Tencent Security Platform Department\n\n**Grapher**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: Opening a maliciously crafted .gcx file may lead to unexpected application termination or arbitrary code execution\n\nDescription: A memory corruption issue was addressed through improved input validation.\n\nCVE-2016-7622: riusksk(\u6cc9\u54e5) of Tencent Security Platform Department\n\n**ICU**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution\n\nDescription: A memory corruption issue was addressed through improved memory handling.\n\nCVE-2016-7594: Andr\u00e9 Bargull\n\n**ImageIO**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A remote attacker may be able to leak memory\n\nDescription: An out-of-bounds read was addressed through improved bounds checking.\n\nCVE-2016-7643: Yangkang (@dnpushme) of Qihoo360 Qex Team\n\n**Intel Graphics Driver**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges \n\nDescription: A memory corruption issue was addressed through improved input validation.\n\nCVE-2016-7602: daybreaker@Minionz working with Trend Micro's Zero Day Initiative\n\n**IOFireWireFamily**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local attacker may be able to read kernel memory\n\nDescription: A memory corruption issue was addressed through improved memory handling.\n\nCVE-2016-7608: Brandon Azad\n\n**IOAcceleratorFamily**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local user may be able to determine kernel memory layout\n\nDescription: A shared memory issue was addressed through improved memory handling.\n\nCVE-2016-7624 : Qidan He (@flanker_hqd) from KeenLab working with Trend Micro's Zero Day Initiative\n\n**IOHIDFamily**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local application with system privileges may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed through improved memory management.\n\nCVE-2016-7591: daybreaker of Minionz\n\n**IOKit**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An application may be able to read kernel memory\n\nDescription: A memory corruption issue was addressed through improved input validation.\n\nCVE-2016-7657: Keen Lab working with Trend Micro\u2019s Zero Day Initiative\n\n**IOKit**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local user may be able to determine kernel memory layout\n\nDescription: A shared memory issue was addressed through improved memory handling.\n\nCVE-2016-7625: Qidan He (@flanker_hqd) from KeenLab working with Trend Micro's Zero Day Initiative\n\n**IOKit**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local user may be able to determine kernel memory layout\n\nDescription: A shared memory issue was addressed through improved memory handling.\n\nCVE-2016-7714: Qidan He (@flanker_hqd) from KeenLab working with Trend Micro's Zero Day Initiative\n\nEntry added January 25, 2017\n\n**IOSurface**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local user may be able to determine kernel memory layout\n\nDescription: A shared memory issue was addressed through improved memory handling.\n\nCVE-2016-7620: Qidan He (@flanker_hqd) from KeenLab working with Trend Micro's Zero Day Initiative\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges \n\nDescription: Multiple memory corruption issues were addressed through improved input validation.\n\nCVE-2016-7606: @cocoahuke, Chen Qin of Topsec Alpha Team (topsec.com)\n\nCVE-2016-7612: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An application may be able to read kernel memory\n\nDescription: An insufficient initialization issue was addressed by properly initializing memory returned to user space.\n\nCVE-2016-7607: Brandon Azad\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local user may be able to cause a system denial of service\n\nDescription: A denial of service issue was addressed through improved memory handling.\n\nCVE-2016-7615: The UK's National Cyber Security Centre (NCSC)\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel\n\nDescription: A use after free issue was addressed through improved memory management.\n\nCVE-2016-7621: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local user may be able to gain root privileges\n\nDescription: A memory corruption issue was addressed through improved input validation.\n\nCVE-2016-7637: Ian Beer of Google Project Zero\n\n**Kernel**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local application with system privileges may be able to execute arbitrary code with kernel privileges\n\nDescription: A use after free issue was addressed through improved memory management.\n\nCVE-2016-7644: Ian Beer of Google Project Zero\n\n**Kernel**\n\n****Available for: macOS Sierra 10.12.1\n\nImpact: An application may be able to cause a denial of service\n\nDescription: A denial of service issue was addressed through improved memory handling.\n\nCVE-2016-7647: Lufeng Li of Qihoo 360 Vulcan Team\n\nEntry added May 17, 2017\n\n**kext tools**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An application may be able to execute arbitrary code with kernel privileges \n\nDescription: A memory corruption issue was addressed through improved input validation.\n\nCVE-2016-7629: @cocoahuke\n\n**libarchive**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local attacker may be able to overwrite existing files\n\nDescription: A validation issue existed in the handling of symlinks. This issue was addressed through improved validation of symlinks.\n\nCVE-2016-7619: an anonymous researcher\n\n**LibreSSL**\n\nAvailable for: macOS Sierra 10.12.1 and OS X El Capitan v10.11.6\n\nImpact: An attacker with a privileged network position may be able to cause a denial of service\n\nDescription: A denial of service issue in unbounded OCSP growth was addressed through improved memory handling.\n\nCVE-2016-6304\n\nEntry updated December 14, 2016\n\n**OpenLDAP**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An attacker may be able to exploit weaknesses in the RC4 cryptographic algorithm\n\nDescription: RC4 was removed as a default cipher.\n\nCVE-2016-1777: Pepi Zawodsky\n\n**OpenPAM**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local unprivileged user may gain access to privileged applications\n\nDescription: PAM authentication within sandboxed applications failed insecurely. This was addressed with improved error handling.\n\nCVE-2016-7600: Perette Barella of DeviousFish.com\n\n**OpenSSL**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An application may be able to execute arbitrary code\n\nDescription: An overflow issue existed in MDC2_Update(). This issue was addressed through improved input validation.\n\nCVE-2016-6303\n\n**OpenSSL**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An attacker with a privileged network position may be able to cause a denial of service\n\nDescription: A denial of service issue in unbounded OCSP growth was addressed through improved memory handling.\n\nCVE-2016-6304\n\n**Power Management**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local user may be able to gain root privileges\n\nDescription: An issue in mach port name references was addressed through improved validation.\n\nCVE-2016-7661: Ian Beer of Google Project Zero\n\n**Security**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An attacker may be able to exploit weaknesses in the 3DES cryptographic algorithm\n\nDescription: 3DES was removed as a default cipher.\n\nCVE-2016-4693: Ga\u00ebtan Leurent and Karthikeyan Bhargavan from INRIA Paris\n\n**Security**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: An attacker in a privileged network position may be able to cause a denial of service\n\nDescription: A validation issue existed in the handling of OCSP responder URLs. This issue was addressed by verifying OCSP revocation status after CA validation and limiting the number of OCSP requests per certificate.\n\nCVE-2016-7636: Maksymilian Arciemowicz (cxsecurity.com)\n\n**Security**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: Certificates may be unexpectedly evaluated as trusted\n\nDescription: A certificate evaluation issue existed in certificate validation. This issue was addressed through additional validation of certificates.\n\nCVE-2016-7662: Apple\n\n**syslog**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A local user may be able to gain root privileges\n\nDescription: An issue in mach port name references was addressed through improved validation.\n\nCVE-2016-7660: Ian Beer of Google Project Zero\n\n**Wi-Fi**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: A malicious local user may be able to view sensitive network configuration information\n\nDescription: Network configuration was unexpectedly global. This issue was addressed by moving sensitive network configuration to per-user settings.\n\nCVE-2016-7761: Peter Loos, Karlsruhe, Germany\n\nEntry added January 24, 2017\n\n**xar**\n\nAvailable for: macOS Sierra 10.12.1\n\nImpact: Opening a maliciously crafted archive may lead to arbitrary code execution\n\nDescription: The use of an uninitialized variable was addressed through improved validation.\n\nCVE-2016-7742: Gareth Evans of Context Information Security\n\nEntry added January 10, 2017\n\nmacOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite includes the security content of [Safari 10.0.2](<https://support.apple.com/kb/HT207421>).\n", "edition": 3, "modified": "2020-07-27T08:14:17", "published": "2020-07-27T08:14:17", "id": "APPLE:HT207423", "href": "https://support.apple.com/kb/HT207423", "title": "About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite - Apple Support", "type": "apple", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}