ID OPENVAS:892798 Type openvas Reporter Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net Modified 2017-07-07T00:00:00
Description
Scott Cantor discovered that curl, a file retrieval tool, would disable
the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting
was disabled. This would also disable ssl certificate host name checks
when it should have only disabled verification of the certificate trust
chain.
The default configuration for the curl package is not affected by this
issue since CURLOPT_SSLVERIFYPEER is enabled by default.
# OpenVAS Vulnerability Test
# $Id: deb_2798.nasl 6611 2017-07-07 12:07:20Z cfischer $
# Auto-generated from advisory DSA 2798-1 using nvtgen 1.0
# Script version: 1.0
#
# Author:
# Greenbone Networks
#
# Copyright:
# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net
# Text descriptions are largely excerpted from the referenced
# advisory, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
include("revisions-lib.inc");
tag_affected = "curl on Debian Linux";
tag_insight = "curl is a client to get files from servers using any of the supported
protocols. The command is designed to work without user interaction
or any kind of interactivity.";
tag_solution = "For the oldstable distribution (squeeze), this problem has been fixed in
version 7.21.0-2.1+squeeze5.
For the stable distribution (wheezy), this problem has been fixed in
version 7.26.0-1+wheezy5.
For the testing (jessie) and unstable (sid) distributions, this problem
has been fixed in version 7.33.0-1.
We recommend that you upgrade your curl packages.";
tag_summary = "Scott Cantor discovered that curl, a file retrieval tool, would disable
the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting
was disabled. This would also disable ssl certificate host name checks
when it should have only disabled verification of the certificate trust
chain.
The default configuration for the curl package is not affected by this
issue since CURLOPT_SSLVERIFYPEER is enabled by default.";
tag_vuldetect = "This check tests the installed software version using the apt package manager.";
if(description)
{
script_id(892798);
script_version("$Revision: 6611 $");
script_cve_id("CVE-2013-4545");
script_name("Debian Security Advisory DSA 2798-1 (curl - unchecked ssl certificate host name)");
script_tag(name: "last_modification", value:"$Date: 2017-07-07 14:07:20 +0200 (Fri, 07 Jul 2017) $");
script_tag(name: "creation_date", value:"2013-11-17 00:00:00 +0100 (Sun, 17 Nov 2013)");
script_tag(name: "cvss_base", value:"4.3");
script_tag(name: "cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_xref(name: "URL", value: "http://www.debian.org/security/2013/dsa-2798.html");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net");
script_family("Debian Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/debian_linux", "ssh/login/packages");
script_tag(name: "affected", value: tag_affected);
script_tag(name: "insight", value: tag_insight);
# script_tag(name: "impact", value: tag_impact);
script_tag(name: "solution", value: tag_solution);
script_tag(name: "summary", value: tag_summary);
script_tag(name: "vuldetect", value: tag_vuldetect);
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("pkg-lib-deb.inc");
res = "";
report = "";
if ((res = isdpkgvuln(pkg:"curl", ver:"7.21.0-2.1+squeeze5", rls:"DEB6.0")) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"libcurl3", ver:"7.21.0-2.1+squeeze5", rls:"DEB6.0")) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"libcurl3-dbg", ver:"7.21.0-2.1+squeeze5", rls:"DEB6.0")) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"libcurl3-gnutls", ver:"7.21.0-2.1+squeeze5", rls:"DEB6.0")) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"libcurl4-gnutls-dev", ver:"7.21.0-2.1+squeeze5", rls:"DEB6.0")) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"libcurl4-openssl-dev", ver:"7.21.0-2.1+squeeze5", rls:"DEB6.0")) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"curl", ver:"7.26.0-1+wheezy5", rls:"DEB7.0")) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"libcurl3", ver:"7.26.0-1+wheezy5", rls:"DEB7.0")) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"libcurl3-dbg", ver:"7.26.0-1+wheezy5", rls:"DEB7.0")) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"libcurl3-gnutls", ver:"7.26.0-1+wheezy5", rls:"DEB7.0")) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"libcurl3-nss", ver:"7.26.0-1+wheezy5", rls:"DEB7.0")) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"libcurl4-gnutls-dev", ver:"7.26.0-1+wheezy5", rls:"DEB7.0")) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"libcurl4-nss-dev", ver:"7.26.0-1+wheezy5", rls:"DEB7.0")) != NULL) {
report += res;
}
if ((res = isdpkgvuln(pkg:"libcurl4-openssl-dev", ver:"7.26.0-1+wheezy5", rls:"DEB7.0")) != NULL) {
report += res;
}
if (report != "") {
security_message(data:report);
} else if (__pkg_match) {
exit(99); # Not vulnerable.
}
{"id": "OPENVAS:892798", "bulletinFamily": "scanner", "title": "Debian Security Advisory DSA 2798-1 (curl - unchecked ssl certificate host name)", "description": "Scott Cantor discovered that curl, a file retrieval tool, would disable\nthe CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting\nwas disabled. This would also disable ssl certificate host name checks\nwhen it should have only disabled verification of the certificate trust\nchain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.", "published": "2013-11-17T00:00:00", "modified": "2017-07-07T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=892798", "reporter": "Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net", "references": ["http://www.debian.org/security/2013/dsa-2798.html"], "cvelist": ["CVE-2013-4545"], "type": "openvas", "lastseen": "2017-07-24T12:51:45", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Scott Cantor discovered that curl, a file retrieval tool, would disable\nthe CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting\nwas disabled. This would also disable ssl certificate host name checks\nwhen it should have only disabled verification of the certificate trust\nchain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.", "edition": 1, "enchantments": {}, "hash": "b241f7ec72acf3717121158151d93df322adef54e29e25572eab8e8b7835079d", "hashmap": [{"hash": "864e9c68d80324a195a6d8befc1569de", "key": "references"}, {"hash": "1d2c24dd84d63e4892fa41f5502547ea", "key": "pluginID"}, {"hash": "6e9bdd2021503689a2ad9254c9cdf2b3", "key": "cvss"}, {"hash": "d2392d983ef64f6ab95d01e38de6ba37", "key": "sourceData"}, {"hash": "f84c522d6e696481a5842732aabf0dc3", "key": "description"}, {"hash": "7247ed8a8d44e8bd868630ffa4559a87", "key": "modified"}, {"hash": "2c00c409cde36d0e58910380491be656", "key": "title"}, {"hash": "a5ed9afc274998ae1dc2c4d97288c856", "key": "href"}, {"hash": "31685687dbec3fe4df89efc0b6dcbc70", "key": "published"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "123bc33aeb1db7ff157e9f48333ff1b9", "key": "cvelist"}, {"hash": "5474798d22021d679c1738be31fc4947", "key": "reporter"}, {"hash": "74562d71b087df9eabd0c21f99b132cc", "key": "naslFamily"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=892798", "id": "OPENVAS:892798", "lastseen": "2017-07-02T21:11:12", "modified": "2017-05-05T00:00:00", "naslFamily": "Debian Local Security Checks", "objectVersion": "1.3", "pluginID": "892798", "published": "2013-11-17T00:00:00", "references": ["http://www.debian.org/security/2013/dsa-2798.html"], "reporter": "Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2798.nasl 6074 2017-05-05 09:03:14Z teissa $\n# Auto-generated from advisory DSA 2798-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"curl on Debian Linux\";\ntag_insight = \"curl is a client to get files from servers using any of the supported\nprotocols. The command is designed to work without user interaction\nor any kind of interactivity.\";\ntag_solution = \"For the oldstable distribution (squeeze), this problem has been fixed in\nversion 7.21.0-2.1+squeeze5.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 7.26.0-1+wheezy5.\n\nFor the testing (jessie) and unstable (sid) distributions, this problem\nhas been fixed in version 7.33.0-1.\n\nWe recommend that you upgrade your curl packages.\";\ntag_summary = \"Scott Cantor discovered that curl, a file retrieval tool, would disable\nthe CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting\nwas disabled. This would also disable ssl certificate host name checks\nwhen it should have only disabled verification of the certificate trust\nchain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(892798);\n script_version(\"$Revision: 6074 $\");\n script_cve_id(\"CVE-2013-4545\");\n script_name(\"Debian Security Advisory DSA 2798-1 (curl - unchecked ssl certificate host name)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-05-05 11:03:14 +0200 (Fri, 05 May 2017) $\");\n script_tag(name: \"creation_date\", value:\"2013-11-17 00:00:00 +0100 (Sun, 17 Nov 2013)\");\n script_tag(name: \"cvss_base\", value:\"4.3\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2798.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"HostDetails/OS/cpe:/o:debian:debian_linux\", \"login/SSH/success\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"curl\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-dbg\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-gnutls\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-gnutls-dev\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-openssl-dev\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"curl\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-dbg\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-gnutls\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-nss\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-gnutls-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-nss-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-openssl-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "title": "Debian Security Advisory DSA 2798-1 (curl - unchecked ssl certificate host name)", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2017-07-02T21:11:12"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "123bc33aeb1db7ff157e9f48333ff1b9"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "f84c522d6e696481a5842732aabf0dc3"}, {"key": "href", "hash": "a5ed9afc274998ae1dc2c4d97288c856"}, {"key": "modified", "hash": "d89cc672a6266551218ef8145d1f22e2"}, {"key": "naslFamily", "hash": "74562d71b087df9eabd0c21f99b132cc"}, {"key": "pluginID", "hash": "1d2c24dd84d63e4892fa41f5502547ea"}, {"key": "published", "hash": "31685687dbec3fe4df89efc0b6dcbc70"}, {"key": "references", "hash": "864e9c68d80324a195a6d8befc1569de"}, {"key": "reporter", "hash": "5474798d22021d679c1738be31fc4947"}, {"key": "sourceData", "hash": "75284721774a33c82e6da964687b88b7"}, {"key": "title", "hash": "2c00c409cde36d0e58910380491be656"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "0260d07ba46c5771c62133995d1780cea282c3c1c54860475754834e1e679eb9", "viewCount": 0, "enchantments": {"vulnersScore": 5.0}, "objectVersion": "1.3", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2798.nasl 6611 2017-07-07 12:07:20Z cfischer $\n# Auto-generated from advisory DSA 2798-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"curl on Debian Linux\";\ntag_insight = \"curl is a client to get files from servers using any of the supported\nprotocols. The command is designed to work without user interaction\nor any kind of interactivity.\";\ntag_solution = \"For the oldstable distribution (squeeze), this problem has been fixed in\nversion 7.21.0-2.1+squeeze5.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 7.26.0-1+wheezy5.\n\nFor the testing (jessie) and unstable (sid) distributions, this problem\nhas been fixed in version 7.33.0-1.\n\nWe recommend that you upgrade your curl packages.\";\ntag_summary = \"Scott Cantor discovered that curl, a file retrieval tool, would disable\nthe CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting\nwas disabled. This would also disable ssl certificate host name checks\nwhen it should have only disabled verification of the certificate trust\nchain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(892798);\n script_version(\"$Revision: 6611 $\");\n script_cve_id(\"CVE-2013-4545\");\n script_name(\"Debian Security Advisory DSA 2798-1 (curl - unchecked ssl certificate host name)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-07 14:07:20 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2013-11-17 00:00:00 +0100 (Sun, 17 Nov 2013)\");\n script_tag(name: \"cvss_base\", value:\"4.3\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2798.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"curl\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-dbg\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-gnutls\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-gnutls-dev\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-openssl-dev\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"curl\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-dbg\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-gnutls\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-nss\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-gnutls-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-nss-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-openssl-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "naslFamily": "Debian Local Security Checks", "pluginID": "892798"}
{"result": {"cve": [{"id": "CVE-2013-4545", "type": "cve", "title": "CVE-2013-4545", "description": "cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", "published": "2013-11-23T06:55:04", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4545", "cvelist": ["CVE-2013-4545"], "lastseen": "2016-09-03T18:49:03"}], "f5": [{"id": "SOL15150", "type": "f5", "title": "SOL15150 - cURL and libcurl vulnerability CVE-2013-4545", "description": "Recommended Action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n", "published": "2014-04-07T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15150.html", "cvelist": ["CVE-2013-4545"], "lastseen": "2016-09-26T17:23:21"}], "nessus": [{"id": "SUSE_SU-2014-0004-1.NASL", "type": "nessus", "title": "SUSE SLED11 / SLES11 Security Update : curl (SUSE-SU-2014:0004-1)", "description": "This update fixes the following security issues with curl :\n\n - bnc#849596: ssl cert checks with unclear behaviour (CVE-2013-4545)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-05-20T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83606", "cvelist": ["CVE-2013-4545"], "lastseen": "2017-10-29T13:35:17"}, {"id": "FEDORA_2013-22046.NASL", "type": "nessus", "title": "Fedora 20 : mingw-curl-7.33.0-1.fc20 (2013-22046)", "description": "- Update to 7.33.0\n\n - Fixes CVE-2013-4545, RHBZ #1031429\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2013-12-14T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=71406", "cvelist": ["CVE-2013-4545"], "lastseen": "2017-10-29T13:36:15"}, {"id": "FEDORA_2013-21887.NASL", "type": "nessus", "title": "Fedora 19 : mingw-curl-7.33.0-1.fc19 (2013-21887)", "description": "- Update to 7.33.0\n\n - Fixes CVE-2013-4545, RHBZ #1031429\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2013-12-02T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=71151", "cvelist": ["CVE-2013-4545"], "lastseen": "2017-10-29T13:33:16"}, {"id": "MANDRIVA_MDVSA-2013-276.NASL", "type": "nessus", "title": "Mandriva Linux Security Advisory : curl (MDVSA-2013:276)", "description": "Updated curl packages fix security vulnerability :\n\nScott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain (CVE-2013-4545).", "published": "2013-11-22T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=71030", "cvelist": ["CVE-2013-4545"], "lastseen": "2017-10-29T13:35:57"}, {"id": "DEBIAN_DSA-2798.NASL", "type": "nessus", "title": "Debian DSA-2798-1 : curl - unchecked ssl certificate host name", "description": "Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain.\n\nThe default configuration for the curl package is not affected by this issue since CURLOPT_SSLVERIFYPEER is enabled by default.", "published": "2013-11-21T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=70985", "cvelist": ["CVE-2013-4545"], "lastseen": "2017-10-29T13:43:54"}, {"id": "OPENSUSE-2013-964.NASL", "type": "nessus", "title": "openSUSE Security Update : curl (openSUSE-SU-2013:1859-1)", "description": "This update fixes the following security issues with curl :\n\n - fix CVE-2013-4545 (bnc#849596) = acknowledge VERIFYHOST without VERIFYPEER", "published": "2014-06-13T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=75228", "cvelist": ["CVE-2013-4545"], "lastseen": "2017-10-29T13:43:23"}, {"id": "SUSE_11_CURL-131204.NASL", "type": "nessus", "title": "SuSE 11.2 / 11.3 Security Update : curl (SAT Patch Numbers 8617 / 8621)", "description": "This update fixes the following security issues with curl :\n\n - ssl cert checks with unclear behaviour (CVE-2013-4545).\n (bnc#849596)", "published": "2014-01-03T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=71786", "cvelist": ["CVE-2013-4545"], "lastseen": "2017-10-29T13:40:48"}, {"id": "UBUNTU_USN-2048-1.NASL", "type": "nessus", "title": "Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 / 13.10 : curl vulnerability (USN-2048-1)", "description": "Scott Cantor discovered that libcurl incorrectly verified CN and SAN name fields when digital signature verification was disabled. When libcurl is being used in this uncommon way by specific applications, an attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2013-12-06T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=71244", "cvelist": ["CVE-2013-4545"], "lastseen": "2017-10-29T13:46:13"}, {"id": "GLASSFISH_CPU_APR_2015.NASL", "type": "nessus", "title": "Oracle GlassFish Server Multiple Vulnerabilities (April 2015 CPU) (POODLE)", "description": "The version of GlassFish Server running on the remote host is affected by multiple vulnerabilities :\n\n - A flaw exists in the bundled cURL and libcurl packages.\n The certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) is disabled when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled. This allows a man-in-the-middle attacker to spoof SSL servers via an arbitrary valid certificate.\n (CVE-2013-4545)\n\n - A flaw exists in the bundled Network Security Services (NSS) library due to improper parsing of ASN.1 values in X.509 certificates. This allows a man-in-the-middle attacker to spoof RSA signatures via a crafted certificate. (CVE-2014-1568)\n\n - A man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566)", "published": "2015-04-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82902", "cvelist": ["CVE-2014-3566", "CVE-2014-1568", "CVE-2013-4545"], "lastseen": "2017-10-29T13:33:33"}, {"id": "SOLARIS11_LIBCURL_20140415.NASL", "type": "nessus", "title": "Oracle Solaris Third-Party Patch Update : libcurl (cve_2013_1944_information_disclosure)", "description": "The remote Solaris system is missing necessary patches to address security updates :\n\n - The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. (CVE-2013-1944)\n\n - Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a '%' (percent) character. (CVE-2013-2174)\n\n - cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.\n (CVE-2013-4545)\n\n - cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.\n (CVE-2014-0015)", "published": "2015-01-19T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=80662", "cvelist": ["CVE-2013-1944", "CVE-2014-0015", "CVE-2013-2174", "CVE-2013-4545"], "lastseen": "2017-10-29T13:41:26"}], "openvas": [{"id": "OPENVAS:867302", "type": "openvas", "title": "Fedora Update for mingw-curl FEDORA-2013-22046", "description": "Check for the Version of mingw-curl", "published": "2014-02-05T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=867302", "cvelist": ["CVE-2013-4545"], "lastseen": "2017-07-25T10:48:49"}, {"id": "OPENVAS:841658", "type": "openvas", "title": "Ubuntu Update for curl USN-2048-1", "description": "Check for the Version of curl", "published": "2013-12-17T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=841658", "cvelist": ["CVE-2013-4545"], "lastseen": "2018-01-26T11:09:48"}, {"id": "OPENVAS:1361412562310892798", "type": "openvas", "title": "Debian Security Advisory DSA 2798-1 (curl - unchecked ssl certificate host name)", "description": "Scott Cantor discovered that curl, a file retrieval tool, would disable\nthe CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting\nwas disabled. This would also disable ssl certificate host name checks\nwhen it should have only disabled verification of the certificate trust\nchain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.", "published": "2013-11-17T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892798", "cvelist": ["CVE-2013-4545"], "lastseen": "2018-04-06T11:22:25"}, {"id": "OPENVAS:1361412562310841658", "type": "openvas", "title": "Ubuntu Update for curl USN-2048-1", "description": "Check for the Version of curl", "published": "2013-12-17T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841658", "cvelist": ["CVE-2013-4545"], "lastseen": "2018-04-06T11:22:03"}, {"id": "OPENVAS:1361412562310867097", "type": "openvas", "title": "Fedora Update for mingw-curl FEDORA-2013-21887", "description": "Check for the Version of mingw-curl", "published": "2013-12-03T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867097", "cvelist": ["CVE-2013-4545"], "lastseen": "2018-04-09T11:24:29"}, {"id": "OPENVAS:1361412562310867302", "type": "openvas", "title": "Fedora Update for mingw-curl FEDORA-2013-22046", "description": "Check for the Version of mingw-curl", "published": "2014-02-05T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867302", "cvelist": ["CVE-2013-4545"], "lastseen": "2018-04-09T11:13:11"}, {"id": "OPENVAS:867097", "type": "openvas", "title": "Fedora Update for mingw-curl FEDORA-2013-21887", "description": "Check for the Version of mingw-curl", "published": "2013-12-03T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=867097", "cvelist": ["CVE-2013-4545"], "lastseen": "2017-07-25T10:52:08"}, {"id": "OPENVAS:1361412562310867880", "type": "openvas", "title": "Fedora Update for mingw-curl FEDORA-2014-6912", "description": "Check for the Version of mingw-curl", "published": "2014-06-17T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867880", "cvelist": ["CVE-2014-0139", "CVE-2014-0138", "CVE-2013-4545"], "lastseen": "2018-04-09T11:12:15"}, {"id": "OPENVAS:1361412562310867890", "type": "openvas", "title": "Fedora Update for mingw-curl FEDORA-2014-6921", "description": "Check for the Version of mingw-curl", "published": "2014-06-17T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867890", "cvelist": ["CVE-2014-0139", "CVE-2014-0138", "CVE-2013-4545"], "lastseen": "2018-04-09T11:13:51"}, {"id": "OPENVAS:1361412562310868649", "type": "openvas", "title": "Fedora Update for mingw-curl FEDORA-2014-17596", "description": "Check the version of mingw-curl", "published": "2015-01-05T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868649", "cvelist": ["CVE-2014-3613", "CVE-2014-0139", "CVE-2014-3707", "CVE-2014-3620", "CVE-2014-0138", "CVE-2013-4545"], "lastseen": "2017-07-25T10:53:09"}], "debian": [{"id": "DSA-2798", "type": "debian", "title": "curl -- unchecked ssl certificate host name", "description": "Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain.\n\nThe default configuration for the curl package is not affected by this issue since CURLOPT_SSLVERIFYPEER is enabled by default.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze5.\n\nFor the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy5.\n\nFor the testing (jessie) and unstable (sid) distributions, this problem has been fixed in version 7.33.0-1.\n\nWe recommend that you upgrade your curl packages.", "published": "2013-11-17T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://www.debian.org/security/dsa-2798", "cvelist": ["CVE-2013-4545"], "lastseen": "2016-09-02T18:27:49"}], "ubuntu": [{"id": "USN-2048-1", "type": "ubuntu", "title": "curl vulnerability", "description": "Scott Cantor discovered that libcurl incorrectly verified CN and SAN name fields when digital signature verification was disabled. When libcurl is being used in this uncommon way by specific applications, an attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.", "published": "2013-12-05T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://usn.ubuntu.com/2048-1/", "cvelist": ["CVE-2013-4545"], "lastseen": "2018-03-29T18:20:19"}], "kaspersky": [{"id": "KLA10458", "type": "kaspersky", "title": "\r KLA10458Multiple vulnerabilities in HP SMH\t\t\t ", "description": "### *CVSS*:\n7.5\n\n### *Detect date*:\n01/10/2014\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities was found in HP SMH. By exploiting these vulnerabilities malicious users can conduct XSS, CSRF and clicjacking attacks via unspecified vectors. These vulnerabilities can be exploited remotely.\n\n### *Affected products*:\nHP System Management Homepage (SMH) versions earlier than 7.4\n\n### *Solution*:\nUpdate to latest version \n[Get HP SMH](<http://www8.hp.com/us/en/products/server-software/product-detail.html?oid=344313>)\n\n### *Original advisories*:\n[HP bulletin](<https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322>) \n\n\n### *Impacts*:\nXSSCSS \n\n### *Related products*:\n[HP System Management Homepage](<https://threats.kaspersky.com/en/product/HP-System-Management-Homepage/>)\n\n### *CVE-IDS*:\n[CVE-2013-4545](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545>) \n[CVE-2013-6420](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420>) \n[CVE-2013-6422](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6422>) \n[CVE-2013-6712](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712>) \n[CVE-2014-2640](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2640>) \n[CVE-2014-2641](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2641>) \n[CVE-2014-2642](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2642>)", "published": "2014-01-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10458", "cvelist": ["CVE-2014-2641", "CVE-2013-6422", "CVE-2014-2640", "CVE-2014-2642", "CVE-2013-6420", "CVE-2013-6712", "CVE-2013-4545"], "lastseen": "2018-03-30T14:11:31"}], "oracle": [{"id": "ORACLE:CPUAPR2015-2365600", "type": "oracle", "title": "Oracle Critical Patch Update - April 2015", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 98 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "published": "2015-04-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2015-2576", "CVE-2015-0489", "CVE-2015-0466", "CVE-2015-0473", "CVE-2015-0455", "CVE-2015-0484", "CVE-2014-3566", "CVE-2015-0504", "CVE-2015-0482", "CVE-2015-0235", "CVE-2015-0493", "CVE-2015-0463", "CVE-2015-2579", "CVE-2015-0474", "CVE-2015-0492", "CVE-2014-7809", "CVE-2015-0495", "CVE-2015-0440", "CVE-2015-2567", "CVE-2014-3572", "CVE-2015-0206", "CVE-2015-0502", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-2568", "CVE-2015-0506", "CVE-2015-2575", "CVE-2015-0447", "CVE-2014-3571", "CVE-2015-0476", "CVE-2015-0511", "CVE-2015-0458", "CVE-2015-0483", "CVE-2014-0116", "CVE-2015-0487", "CVE-2015-0453", "CVE-2015-2572", "CVE-2015-0490", "CVE-2015-2574", "CVE-2015-0510", "CVE-2015-0497", "CVE-2015-0501", "CVE-2015-0450", "CVE-2015-0439", "CVE-2015-0448", "CVE-2015-0472", "CVE-2015-0462", "CVE-2015-0459", "CVE-2015-0507", "CVE-2015-2571", "CVE-2015-0475", "CVE-2014-8275", "CVE-2015-2570", "CVE-2014-3570", "CVE-2015-0509", "CVE-2015-0494", "CVE-2015-0461", "CVE-2015-0503", "CVE-2015-0449", "CVE-2014-0050", "CVE-2015-0500", "CVE-2015-0405", "CVE-2013-4286", "CVE-2015-0451", "CVE-2015-2577", "CVE-2014-1568", "CVE-2015-0478", "CVE-2015-2565", "CVE-2015-0496", "CVE-2015-0204", "CVE-2014-0094", "CVE-2015-2578", "CVE-2015-2566", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0471", "CVE-2015-0423", "CVE-2015-0498", "CVE-2014-0113", "CVE-2015-0438", "CVE-2015-0480", "CVE-2015-0499", "CVE-2015-0433", "CVE-2015-0441", "CVE-2015-0486", "CVE-2015-0452", "CVE-2014-0112", "CVE-2015-0508", "CVE-2015-0457", "CVE-2015-0505", "CVE-2015-0465", "CVE-2015-0479", "CVE-2015-2573", "CVE-2015-0205", "CVE-2015-0485", "CVE-2014-3569", "CVE-2015-0464", "CVE-2015-0491", "CVE-2015-0456", "CVE-2013-4545"], "lastseen": "2018-04-18T20:23:52"}, {"id": "ORACLE:CPUJUL2015-2367936", "type": "oracle", "title": "Oracle Critical Patch Update - July 2015", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 193 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\n** Please note that on May 15, 2015, Oracle released [Security Alert for CVE-2015-3456 (QEMU \"Venom\")](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2015-3456. **\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "published": "2015-07-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2015-1926", "CVE-2015-1802", "CVE-2015-4000", "CVE-2015-2591", "CVE-2015-0443", "CVE-2015-1803", "CVE-2015-4771", "CVE-2015-2627", "CVE-2015-2615", "CVE-2014-3566", "CVE-2015-4764", "CVE-2015-4774", "CVE-2015-2601", "CVE-2015-4738", "CVE-2014-8098", "CVE-2015-0235", "CVE-2015-4729", "CVE-2015-1804", "CVE-2015-4751", "CVE-2015-0444", "CVE-2015-0445", "CVE-2015-4749", "CVE-2014-8092", "CVE-2015-4758", "CVE-2014-7809", "CVE-2015-2643", "CVE-2015-4770", "CVE-2015-4747", "CVE-2015-2661", "CVE-2015-4778", "CVE-2015-2632", "CVE-2015-2625", "CVE-2015-2617", "CVE-2015-4784", "CVE-2015-2664", "CVE-2015-2605", "CVE-2015-2597", "CVE-2015-4785", "CVE-2015-4732", "CVE-2015-2653", "CVE-2014-3572", "CVE-2014-3613", "CVE-2015-0206", "CVE-2014-0227", "CVE-2015-2595", "CVE-2015-4782", "CVE-2015-0286", "CVE-2015-3244", "CVE-2015-2648", "CVE-2015-2657", "CVE-2014-0230", "CVE-2014-8100", "CVE-2015-4789", "CVE-2015-2581", "CVE-2015-2613", "CVE-2015-2658", "CVE-2014-3571", "CVE-2015-4736", "CVE-2015-2599", "CVE-2013-2251", "CVE-2013-5704", "CVE-2015-4739", "CVE-2015-0288", "CVE-2015-4790", "CVE-2013-6422", "CVE-2015-2589", "CVE-2010-1324", "CVE-2015-2623", "CVE-2015-2631", "CVE-2010-4020", "CVE-2015-2596", "CVE-2015-4763", "CVE-2015-0285", "CVE-2015-4783", "CVE-2015-2620", "CVE-2015-2650", "CVE-2011-3389", "CVE-2015-2654", "CVE-2015-0207", "CVE-2015-2607", "CVE-2015-2639", "CVE-2015-2611", "CVE-2015-2645", "CVE-2015-2634", "CVE-2015-2594", "CVE-2014-8275", "CVE-2015-3456", "CVE-2015-0467", "CVE-2015-2584", "CVE-2015-0208", "CVE-2015-2808", "CVE-2013-0249", "CVE-2014-3570", "CVE-2015-2590", "CVE-2015-2656", "CVE-2015-2626", "CVE-2015-2628", "CVE-2015-4768", "CVE-2015-4761", "CVE-2015-4745", "CVE-2015-4750", "CVE-2014-0139", "CVE-2015-2635", "CVE-2015-4756", "CVE-2015-2647", "CVE-2014-3707", "CVE-2015-0293", "CVE-2015-2600", "CVE-2015-2580", "CVE-2014-8097", "CVE-2014-8101", "CVE-2015-2640", "CVE-2015-4733", "CVE-2015-2646", "CVE-2014-1568", "CVE-2015-2651", "CVE-2015-2603", "CVE-2014-8091", "CVE-2015-4765", "CVE-2015-2660", "CVE-2015-2604", "CVE-2015-0255", "CVE-2015-4772", "CVE-2015-2662", "CVE-2015-4735", "CVE-2015-0468", "CVE-2015-4779", "CVE-2015-0209", "CVE-2015-2585", "CVE-2013-2186", "CVE-2014-3567", "CVE-2015-2614", "CVE-2014-0015", "CVE-2015-4737", "CVE-2015-4776", "CVE-2015-4757", "CVE-2015-4728", "CVE-2015-2637", "CVE-2015-2606", "CVE-2015-4769", "CVE-2015-0204", "CVE-2015-2621", "CVE-2015-4786", "CVE-2015-4787", "CVE-2015-2638", "CVE-2015-4740", "CVE-2015-2619", "CVE-2015-4731", "CVE-2014-8095", "CVE-2015-4727", "CVE-2015-4741", "CVE-2015-2636", "CVE-2015-2659", "CVE-2015-2655", "CVE-2015-4775", "CVE-2015-4773", "CVE-2014-8102", "CVE-2015-0291", "CVE-2015-4746", "CVE-2015-2629", "CVE-2014-8096", "CVE-2015-4788", "CVE-2015-4755", "CVE-2015-2602", "CVE-2015-4748", "CVE-2015-0287", "CVE-2015-2622", "CVE-2015-2610", "CVE-2012-0036", "CVE-2013-2174", "CVE-2015-2663", "CVE-2015-4742", "CVE-2014-8093", "CVE-2015-0289", "CVE-2015-2652", "CVE-2015-4759", "CVE-2015-0446", "CVE-2015-0292", "CVE-2015-2582", "CVE-2015-4780", "CVE-2014-1569", "CVE-2015-4781", "CVE-2015-2618", "CVE-2015-2641", "CVE-2015-2593", "CVE-2015-4744", "CVE-2015-2598", "CVE-2014-0138", "CVE-2015-2587", "CVE-2015-2630", "CVE-2015-2592", "CVE-2015-4767", "CVE-2015-0290", "CVE-2015-2616", "CVE-2015-0205", "CVE-2015-2624", "CVE-2015-2609", "CVE-2015-4777", "CVE-2010-1323", "CVE-2015-1787", "CVE-2015-4754", "CVE-2014-3569", "CVE-2015-2588", "CVE-2015-4760", "CVE-2015-2583", "CVE-2015-4743", "CVE-2013-4545", "CVE-2015-4752", "CVE-2015-2586", "CVE-2015-4753", "CVE-2015-2649", "CVE-2015-2612", "CVE-2015-2644"], "lastseen": "2018-04-18T20:24:06"}, {"id": "ORACLE:CPUJAN2015-1972971", "type": "oracle", "title": "Oracle Critical Patch Update - January 2015", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 169 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nPlease note that on October 16, 2014, Oracle released information for [CVE-2014-3566 \"POODLE\"](<http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2014-3566 in addition to the fixes announced in this CPU.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "published": "2015-03-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2015-0388", "CVE-2014-6574", "CVE-2015-0390", "CVE-2011-4317", "CVE-2014-6592", "CVE-2014-3566", "CVE-2011-4461", "CVE-2015-0386", "CVE-2015-0425", "CVE-2014-6566", "CVE-2013-4784", "CVE-2014-0191", "CVE-2015-0365", "CVE-2014-6579", "CVE-2014-6556", "CVE-2014-0231", "CVE-2014-6571", "CVE-2015-0427", "CVE-2014-6578", "CVE-2015-0398", "CVE-2014-6510", "CVE-2014-6595", "CVE-2011-3607", "CVE-2014-6518", "CVE-2015-0385", "CVE-2015-0395", "CVE-2015-0368", "CVE-2013-6449", "CVE-2014-6575", "CVE-2015-0380", "CVE-2015-0424", "CVE-2003-0001", "CVE-2014-6565", "CVE-2015-0407", "CVE-2014-0076", "CVE-2015-0362", "CVE-2015-0430", "CVE-2014-6585", "CVE-2015-0410", "CVE-2013-5704", "CVE-2015-0402", "CVE-2015-0379", "CVE-2014-6548", "CVE-2015-0396", "CVE-2015-0422", "CVE-2015-0435", "CVE-2014-5704", "CVE-2013-5605", "CVE-2014-6584", "CVE-2014-0224", "CVE-2014-4259", "CVE-2015-0391", "CVE-2014-6567", "CVE-2015-0418", "CVE-2013-0338", "CVE-2014-6480", "CVE-2014-6576", "CVE-2015-0428", "CVE-2015-0431", "CVE-2014-0098", "CVE-2014-6549", "CVE-2015-0420", "CVE-2015-0432", "CVE-2015-0383", "CVE-2011-3389", "CVE-2013-1741", "CVE-2014-6583", "CVE-2014-6597", "CVE-2014-4279", "CVE-2004-0230", "CVE-2015-0369", "CVE-2014-6525", "CVE-2015-0372", "CVE-2014-6582", "CVE-2015-0378", "CVE-2015-0392", "CVE-2015-0416", "CVE-2014-6587", "CVE-2013-1740", "CVE-2013-6438", "CVE-2015-0406", "CVE-2015-0401", "CVE-2014-6569", "CVE-2014-3470", "CVE-2012-0053", "CVE-2013-1739", "CVE-2014-6599", "CVE-2014-1492", "CVE-2013-2877", "CVE-2015-0417", "CVE-2015-0404", "CVE-2013-6450", "CVE-2013-5606", "CVE-2014-0114", "CVE-2015-0364", "CVE-2014-0050", "CVE-2010-5107", "CVE-2011-3368", "CVE-2014-6573", "CVE-2014-1490", "CVE-2010-5298", "CVE-2013-4286", "CVE-2015-0371", "CVE-2014-6526", "CVE-2015-0382", "CVE-2014-1568", "CVE-2015-0363", "CVE-2014-6600", "CVE-2014-6580", "CVE-2014-6509", "CVE-2015-0375", "CVE-2015-0414", "CVE-2014-0195", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-0198", "CVE-2014-6601", "CVE-2014-6594", "CVE-2015-0373", "CVE-2015-0421", "CVE-2013-2186", "CVE-2014-3567", "CVE-2014-6581", "CVE-2014-0015", "CVE-2015-0403", "CVE-2014-6570", "CVE-2015-0408", "CVE-2015-0429", "CVE-2014-6596", "CVE-2014-6521", "CVE-2015-0374", "CVE-2014-6591", "CVE-2014-6586", "CVE-2014-6524", "CVE-2014-6572", "CVE-2015-0370", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0409", "CVE-2015-0387", "CVE-2015-0389", "CVE-2015-0399", "CVE-2014-0118", "CVE-2015-0415", "CVE-2014-6590", "CVE-2015-0376", "CVE-2014-6481", "CVE-2015-0393", "CVE-2015-0366", "CVE-2015-0419", "CVE-2014-6568", "CVE-2015-0377", "CVE-2015-0394", "CVE-2015-0397", "CVE-2015-0384", "CVE-2014-6589", "CVE-2014-1491", "CVE-2014-6528", "CVE-2014-6588", "CVE-2014-6541", "CVE-2011-1944", "CVE-2015-0437", "CVE-2014-6514", "CVE-2014-0117", "CVE-2014-4212", "CVE-2015-0436", "CVE-2014-6598", "CVE-2015-0367", "CVE-2014-0226", "CVE-2013-1620", "CVE-2013-4545", "CVE-2015-0426", "CVE-2015-0434", "CVE-2014-0221", "CVE-2015-0411", "CVE-2015-0381", "CVE-2014-6577"], "lastseen": "2018-04-18T20:23:51"}]}}