DebianDEBIAN:DSA-3232-1:8267A[SECURITY] [DSA 3232-1] curl security update
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
77.1%
Debian Security Advisory DSA-3232-1 [email protected]
http://www.debian.org/security/ Alessandro Ghedini
April 22, 2015 http://www.debian.org/security/faq
Package : curl
CVE ID : CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148
Several vulnerabilities were discovered in cURL, an URL transfer library:
CVE-2015-3143
NTLM-authenticated connections could be wrongly reused for requests
without any credentials set, leading to HTTP requests being sent
over the connection authenticated as a different user. This is
similar to the issue fixed in DSA-2849-1.
CVE-2015-3144
When parsing URLs with a zero-length hostname (such as "http://:80"),
libcurl would try to read from an invalid memory address. This could
allow remote attackers to cause a denial of service (crash). This
issue only affects the upcoming stable (jessie) and unstable (sid)
distributions.
CVE-2015-3145
When parsing HTTP cookies, if the parsed cookie's "path" element
consists of a single double-quote, libcurl would try to write to an
invalid heap memory address. This could allow remote attackers to
cause a denial of service (crash). This issue only affects the
upcoming stable (jessie) and unstable (sid) distributions.
CVE-2015-3148
When doing HTTP requests using the Negotiate authentication method
along with NTLM, the connection used would not be marked as
authenticated, making it possible to reuse it and send requests for
one user over the connection authenticated as a different user.
For the stable distribution (wheezy), these problems have been fixed in
version 7.26.0-1+wheezy13.
For the upcoming stable distribution (jessie), these problems have been
fixed in version 7.38.0-4+deb8u1.
For the unstable distribution (sid), these problems have been fixed in
version 7.42.0-1.
We recommend that you upgrade your curl packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 6 | all | curl | < 7.21.0-2.1+squeeze12 | curl_7.21.0-2.1+squeeze12_all.deb |
| Debian | 7 | kfreebsd-i386 | libcurl3 | < 7.26.0-1+wheezy13 | libcurl3_7.26.0-1+wheezy13_kfreebsd-i386.deb |
| Debian | 7 | kfreebsd-amd64 | libcurl3-gnutls | < 7.26.0-1+wheezy13 | libcurl3-gnutls_7.26.0-1+wheezy13_kfreebsd-amd64.deb |
| Debian | 8 | amd64 | libcurl4-openssl-dev | < 7.38.0-4+deb8u1 | libcurl4-openssl-dev_7.38.0-4+deb8u1_amd64.deb |
| Debian | 7 | amd64 | libcurl3-dbg | < 7.26.0-1+wheezy13 | libcurl3-dbg_7.26.0-1+wheezy13_amd64.deb |
| Debian | 8 | armhf | libcurl4-gnutls-dev | < 7.38.0-4+deb8u1 | libcurl4-gnutls-dev_7.38.0-4+deb8u1_armhf.deb |
| Debian | 8 | armhf | libcurl3-gnutls | < 7.38.0-4+deb8u1 | libcurl3-gnutls_7.38.0-4+deb8u1_armhf.deb |
| Debian | 8 | kfreebsd-i386 | libcurl3 | < 7.38.0-4+deb8u1 | libcurl3_7.38.0-4+deb8u1_kfreebsd-i386.deb |
| Debian | 7 | s390 | libcurl3-nss | < 7.26.0-1+wheezy13 | libcurl3-nss_7.26.0-1+wheezy13_s390.deb |
| Debian | 8 | s390x | libcurl3-dbg | < 7.38.0-4+deb8u1 | libcurl3-dbg_7.38.0-4+deb8u1_s390x.deb |
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
77.1%