{"bulletinFamily": "scanner", "viewCount": 0, "naslFamily": "Debian Local Security Checks", "reporter": "Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net", "references": ["http://www.debian.org/security/2013/dsa-2798.html"], "description": "Scott Cantor discovered that curl, a file retrieval tool, would disable\nthe CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting\nwas disabled. This would also disable ssl certificate host name checks\nwhen it should have only disabled verification of the certificate trust\nchain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.", "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "123bc33aeb1db7ff157e9f48333ff1b9"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "f84c522d6e696481a5842732aabf0dc3"}, {"key": "href", "hash": "a5ed9afc274998ae1dc2c4d97288c856"}, {"key": "modified", "hash": "d89cc672a6266551218ef8145d1f22e2"}, {"key": "naslFamily", "hash": "74562d71b087df9eabd0c21f99b132cc"}, {"key": "pluginID", "hash": "1d2c24dd84d63e4892fa41f5502547ea"}, {"key": "published", "hash": "31685687dbec3fe4df89efc0b6dcbc70"}, {"key": "references", "hash": "864e9c68d80324a195a6d8befc1569de"}, {"key": "reporter", "hash": "5474798d22021d679c1738be31fc4947"}, {"key": "sourceData", "hash": "75284721774a33c82e6da964687b88b7"}, {"key": "title", "hash": "2c00c409cde36d0e58910380491be656"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "href": "http://plugins.openvas.org/nasl.php?oid=892798", "modified": "2017-07-07T00:00:00", "objectVersion": "1.3", "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "id": "OPENVAS:892798", "title": "Debian Security Advisory DSA 2798-1 (curl - unchecked ssl certificate host name)", "hash": "0260d07ba46c5771c62133995d1780cea282c3c1c54860475754834e1e679eb9", "edition": 2, "published": "2013-11-17T00:00:00", "type": "openvas", "history": [{"lastseen": "2017-07-02T21:11:12", "bulletin": {"hash": "b241f7ec72acf3717121158151d93df322adef54e29e25572eab8e8b7835079d", "viewCount": 0, "reporter": "Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net", "references": ["http://www.debian.org/security/2013/dsa-2798.html"], "description": "Scott Cantor discovered that curl, a file retrieval tool, would disable\nthe CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting\nwas disabled. This would also disable ssl certificate host name checks\nwhen it should have only disabled verification of the certificate trust\nchain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.", "hashmap": [{"key": "references", "hash": "864e9c68d80324a195a6d8befc1569de"}, {"key": "pluginID", "hash": "1d2c24dd84d63e4892fa41f5502547ea"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "sourceData", "hash": "d2392d983ef64f6ab95d01e38de6ba37"}, {"key": "description", "hash": "f84c522d6e696481a5842732aabf0dc3"}, {"key": "modified", "hash": "7247ed8a8d44e8bd868630ffa4559a87"}, {"key": "title", "hash": "2c00c409cde36d0e58910380491be656"}, {"key": "href", "hash": "a5ed9afc274998ae1dc2c4d97288c856"}, {"key": "published", "hash": "31685687dbec3fe4df89efc0b6dcbc70"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "123bc33aeb1db7ff157e9f48333ff1b9"}, {"key": "reporter", "hash": "5474798d22021d679c1738be31fc4947"}, {"key": "naslFamily", "hash": "74562d71b087df9eabd0c21f99b132cc"}], "naslFamily": "Debian Local Security Checks", "modified": "2017-05-05T00:00:00", "objectVersion": "1.3", "href": "http://plugins.openvas.org/nasl.php?oid=892798", "published": "2013-11-17T00:00:00", "enchantments": {}, "id": "OPENVAS:892798", "title": "Debian Security Advisory DSA 2798-1 (curl - unchecked ssl certificate host name)", "bulletinFamily": "scanner", "edition": 1, "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2798.nasl 6074 2017-05-05 09:03:14Z teissa $\n# Auto-generated from advisory DSA 2798-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"curl on Debian Linux\";\ntag_insight = \"curl is a client to get files from servers using any of the supported\nprotocols. The command is designed to work without user interaction\nor any kind of interactivity.\";\ntag_solution = \"For the oldstable distribution (squeeze), this problem has been fixed in\nversion 7.21.0-2.1+squeeze5.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 7.26.0-1+wheezy5.\n\nFor the testing (jessie) and unstable (sid) distributions, this problem\nhas been fixed in version 7.33.0-1.\n\nWe recommend that you upgrade your curl packages.\";\ntag_summary = \"Scott Cantor discovered that curl, a file retrieval tool, would disable\nthe CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting\nwas disabled. This would also disable ssl certificate host name checks\nwhen it should have only disabled verification of the certificate trust\nchain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(892798);\n script_version(\"$Revision: 6074 $\");\n script_cve_id(\"CVE-2013-4545\");\n script_name(\"Debian Security Advisory DSA 2798-1 (curl - unchecked ssl certificate host name)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-05-05 11:03:14 +0200 (Fri, 05 May 2017) $\");\n script_tag(name: \"creation_date\", value:\"2013-11-17 00:00:00 +0100 (Sun, 17 Nov 2013)\");\n script_tag(name: \"cvss_base\", value:\"4.3\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2798.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"HostDetails/OS/cpe:/o:debian:debian_linux\", \"login/SSH/success\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"curl\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-dbg\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-gnutls\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-gnutls-dev\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-openssl-dev\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"curl\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-dbg\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-gnutls\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-nss\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-gnutls-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-nss-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-openssl-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "type": "openvas", "history": [], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "cvelist": ["CVE-2013-4545"], "lastseen": "2017-07-02T21:11:12", "pluginID": "892798"}, "differentElements": ["modified", "sourceData"], "edition": 1}], "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "cvelist": ["CVE-2013-4545"], "lastseen": "2017-07-24T12:51:45", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2798.nasl 6611 2017-07-07 12:07:20Z cfischer $\n# Auto-generated from advisory DSA 2798-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"curl on Debian Linux\";\ntag_insight = \"curl is a client to get files from servers using any of the supported\nprotocols. The command is designed to work without user interaction\nor any kind of interactivity.\";\ntag_solution = \"For the oldstable distribution (squeeze), this problem has been fixed in\nversion 7.21.0-2.1+squeeze5.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 7.26.0-1+wheezy5.\n\nFor the testing (jessie) and unstable (sid) distributions, this problem\nhas been fixed in version 7.33.0-1.\n\nWe recommend that you upgrade your curl packages.\";\ntag_summary = \"Scott Cantor discovered that curl, a file retrieval tool, would disable\nthe CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting\nwas disabled. This would also disable ssl certificate host name checks\nwhen it should have only disabled verification of the certificate trust\nchain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_id(892798);\n script_version(\"$Revision: 6611 $\");\n script_cve_id(\"CVE-2013-4545\");\n script_name(\"Debian Security Advisory DSA 2798-1 (curl - unchecked ssl certificate host name)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2017-07-07 14:07:20 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name: \"creation_date\", value:\"2013-11-17 00:00:00 +0100 (Sun, 17 Nov 2013)\");\n script_tag(name: \"cvss_base\", value:\"4.3\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2798.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"curl\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-dbg\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-gnutls\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-gnutls-dev\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-openssl-dev\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"curl\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-dbg\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-gnutls\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-nss\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-gnutls-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-nss-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-openssl-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "pluginID": "892798"}

{"cve": [{"lastseen": "2016-09-03T18:49:03", "references": ["http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html", "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html", "http://www.ubuntu.com/usn/USN-2048-1", "http://www.debian.org/security/2013/dsa-2798", "http://lists.opensuse.org/opensuse-updates/2013-12/msg00047.html", "https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322", "http://curl.haxx.se/docs/adv_20131115.html", "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", "http://lists.opensuse.org/opensuse-updates/2013-12/msg00053.html"], "edition": 1, "description": "cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", "reporter": "NVD", "published": "2013-11-23T06:55:04", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "CVE-2013-4545", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2013-4545"], "scanner": [], "modified": "2016-06-16T21:59:31", "cpe": ["cpe:/a:haxx:libcurl:7.31.0", "cpe:/a:haxx:curl:7.29.0", "cpe:/a:haxx:curl:7.21.1", "cpe:/a:haxx:curl:7.30.0", "cpe:/a:haxx:curl:7.26.0", "cpe:/a:haxx:libcurl:7.29.0", "cpe:/a:haxx:curl:7.19.3", "cpe:/a:haxx:curl:7.18.1", "cpe:/a:haxx:curl:7.19.2", "cpe:/a:haxx:curl:7.24.0", "cpe:/a:haxx:libcurl:7.18.1", "cpe:/a:haxx:curl:7.21.5", "cpe:/a:haxx:libcurl:7.19.1", "cpe:/a:haxx:libcurl:7.19.2", "cpe:/a:haxx:libcurl:7.22.0", "cpe:/a:haxx:curl:7.21.2", "cpe:/a:haxx:libcurl:7.26.0", "cpe:/a:haxx:curl:7.21.4", "cpe:/a:haxx:libcurl:7.25.0", "cpe:/a:haxx:libcurl:7.21.4", "cpe:/a:haxx:curl:7.21.0", "cpe:/a:haxx:libcurl:7.19.7", "cpe:/a:haxx:curl:7.21.7", "cpe:/a:haxx:curl:7.20.0", "cpe:/a:haxx:curl:7.25.0", "cpe:/a:haxx:curl:7.19.0", "cpe:/a:haxx:curl:7.18.2", "cpe:/a:haxx:curl:7.18.0", "cpe:/a:haxx:curl:7.19.7", "cpe:/a:haxx:libcurl:7.20.0", "cpe:/a:haxx:libcurl:7.32.0", "cpe:/a:haxx:curl:7.27.0", "cpe:/a:haxx:curl:7.21.6", "cpe:/a:haxx:libcurl:7.19.6", "cpe:/a:haxx:curl:7.23.1", "cpe:/a:haxx:libcurl:7.28.0", "cpe:/a:haxx:libcurl:7.19.0", "cpe:/a:haxx:libcurl:7.19.4", "cpe:/a:haxx:libcurl:7.21.0", "cpe:/a:haxx:curl:7.31.0", "cpe:/a:haxx:libcurl:7.24.0", "cpe:/a:haxx:curl:7.19.6", "cpe:/a:haxx:libcurl:7.21.6", "cpe:/a:haxx:libcurl:7.23.0", "cpe:/a:haxx:libcurl:7.27.0", "cpe:/a:haxx:curl:7.32.0", "cpe:/a:haxx:libcurl:7.28.1", "cpe:/a:haxx:curl:7.23.0", "cpe:/a:haxx:libcurl:7.21.2", "cpe:/a:haxx:curl:7.20.1", "cpe:/a:haxx:libcurl:7.21.3", "cpe:/a:haxx:curl:7.19.4", "cpe:/a:haxx:curl:7.21.3", "cpe:/a:haxx:libcurl:7.23.1", "cpe:/a:haxx:libcurl:7.20.1", "cpe:/a:haxx:curl:7.19.1", "cpe:/a:haxx:libcurl:7.21.1", "cpe:/a:haxx:curl:7.28.1", "cpe:/a:haxx:libcurl:7.30.0", "cpe:/a:haxx:libcurl:7.21.7", "cpe:/a:haxx:curl:7.19.5", "cpe:/a:haxx:libcurl:7.19.3", "cpe:/a:haxx:curl:7.22.0", "cpe:/a:haxx:libcurl:7.21.5", "cpe:/a:haxx:libcurl:7.18.0", "cpe:/a:haxx:curl:7.28.0", "cpe:/a:haxx:libcurl:7.19.5", "cpe:/a:haxx:libcurl:7.18.2"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4545", "id": "CVE-2013-4545", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "f5": [{"lastseen": "2016-09-26T17:23:21", "references": ["https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Recommended Action\n\nNone\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents.\n * SOL4602: Overview of the F5 security vulnerability response policy\n", "reporter": "f5", "published": "2014-04-07T00:00:00", "title": "SOL15150 - cURL and libcurl vulnerability CVE-2013-4545", "type": "f5", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-4545"], "modified": "2014-04-07T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15150.html", "id": "SOL15150", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2018-09-01T23:39:47", "references": ["http://advisories.mageia.org/MGASA-2013-0338.html"], "pluginID": "71030", "description": "Updated curl packages fix security vulnerability :\n\nScott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain (CVE-2013-4545).", "edition": 5, "reporter": "Tenable", "published": "2013-11-22T00:00:00", "title": "Mandriva Linux Security Advisory : curl (MDVSA-2013:276)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2018-07-19T00:00:00", "cpe": ["cpe:/o:mandriva:business_server:1", "p-cpe:/a:mandriva:linux:lib64curl-devel", "p-cpe:/a:mandriva:linux:lib64curl4", "p-cpe:/a:mandriva:linux:curl", "p-cpe:/a:mandriva:linux:curl-examples"], "id": "MANDRIVA_MDVSA-2013-276.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=71030", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2013:276. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71030);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/19 20:59:18\");\n\n script_cve_id(\"CVE-2013-4545\");\n script_bugtraq_id(63776);\n script_xref(name:\"MDVSA\", value:\"2013:276\");\n\n script_name(english:\"Mandriva Linux Security Advisory : curl (MDVSA-2013:276)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated curl packages fix security vulnerability :\n\nScott Cantor discovered that curl, a file retrieval tool, would\ndisable the CURLOPT_SSLVERIFYHOST check when the\nCURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable\nssl certificate host name checks when it should have only disabled\nverification of the certificate trust chain (CVE-2013-4545).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://advisories.mageia.org/MGASA-2013-0338.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:curl-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64curl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64curl4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:business_server:1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/11/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/11/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"curl-7.24.0-2.3.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"curl-examples-7.24.0-2.3.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64curl-devel-7.24.0-2.3.mbs1\")) flag++;\nif (rpm_check(release:\"MDK-MBS1\", cpu:\"x86_64\", reference:\"lib64curl4-7.24.0-2.3.mbs1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-11-11T13:03:48", "references": ["https://packages.debian.org/source/wheezy/curl", "https://www.debian.org/security/2013/dsa-2798", "https://packages.debian.org/source/squeeze/curl"], "pluginID": "70985", "description": "Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain.\n\nThe default configuration for the curl package is not affected by this issue since CURLOPT_SSLVERIFYPEER is enabled by default.", "edition": 6, "reporter": "Tenable", "published": "2013-11-21T00:00:00", "title": "Debian DSA-2798-1 : curl - unchecked ssl certificate host name", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2018-11-10T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:curl", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DSA-2798.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=70985", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2798. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(70985);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/10 11:49:36\");\n\n script_cve_id(\"CVE-2013-4545\");\n script_bugtraq_id(63776);\n script_xref(name:\"DSA\", value:\"2798\");\n\n script_name(english:\"Debian DSA-2798-1 : curl - unchecked ssl certificate host name\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Scott Cantor discovered that curl, a file retrieval tool, would\ndisable the CURLOPT_SSLVERIFYHOST check when the\nCURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable\nssl certificate host name checks when it should have only disabled\nverification of the certificate trust chain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze/curl\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/curl\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2013/dsa-2798\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the curl packages.\n\nFor the oldstable distribution (squeeze), this problem has been fixed\nin version 7.21.0-2.1+squeeze5.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 7.26.0-1+wheezy5.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/11/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"curl\", reference:\"7.21.0-2.1+squeeze5\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcurl3\", reference:\"7.21.0-2.1+squeeze5\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcurl3-dbg\", reference:\"7.21.0-2.1+squeeze5\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcurl3-gnutls\", reference:\"7.21.0-2.1+squeeze5\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcurl4-gnutls-dev\", reference:\"7.21.0-2.1+squeeze5\")) flag++;\nif (deb_check(release:\"6.0\", prefix:\"libcurl4-openssl-dev\", reference:\"7.21.0-2.1+squeeze5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"curl\", reference:\"7.26.0-1+wheezy5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl3\", reference:\"7.26.0-1+wheezy5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl3-dbg\", reference:\"7.26.0-1+wheezy5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl3-gnutls\", reference:\"7.26.0-1+wheezy5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl3-nss\", reference:\"7.26.0-1+wheezy5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl4-gnutls-dev\", reference:\"7.26.0-1+wheezy5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl4-nss-dev\", reference:\"7.26.0-1+wheezy5\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libcurl4-openssl-dev\", reference:\"7.26.0-1+wheezy5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:54:27", "references": ["https://bugzilla.novell.com/show_bug.cgi?id=849596", "http://support.novell.com/security/cve/CVE-2013-4545.html", "https://bugzilla.novell.com/show_bug.cgi?id=810760"], "pluginID": "71786", "description": "This update fixes the following security issues with curl :\n\n - ssl cert checks with unclear behaviour (CVE-2013-4545).\n (bnc#849596)", "edition": 4, "reporter": "Tenable", "published": "2014-01-03T00:00:00", "title": "SuSE 11.2 / 11.3 Security Update : curl (SAT Patch Numbers 8617 / 8621)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2014-01-03T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:libcurl4", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:curl", "p-cpe:/a:novell:suse_linux:11:libcurl4-32bit"], "id": "SUSE_11_CURL-131204.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=71786", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71786);\n script_version(\"$Revision: 1.1 $\");\n script_cvs_date(\"$Date: 2014/01/03 11:53:30 $\");\n\n script_cve_id(\"CVE-2013-4545\");\n\n script_name(english:\"SuSE 11.2 / 11.3 Security Update : curl (SAT Patch Numbers 8617 / 8621)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes the following security issues with curl :\n\n - ssl cert checks with unclear behaviour (CVE-2013-4545).\n (bnc#849596)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=810760\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=849596\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-4545.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Apply SAT patch number 8617 / 8621 as appropriate.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:libcurl4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:libcurl4-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/01/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"curl-7.19.7-1.20.29.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"libcurl4-7.19.7-1.20.29.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"curl-7.19.7-1.20.29.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"libcurl4-7.19.7-1.20.29.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"libcurl4-32bit-7.19.7-1.20.29.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"curl-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"i586\", reference:\"libcurl4-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"curl-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"libcurl4-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:3, cpu:\"x86_64\", reference:\"libcurl4-32bit-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"curl-7.19.7-1.20.29.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, reference:\"libcurl4-7.19.7-1.20.29.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"s390x\", reference:\"libcurl4-32bit-7.19.7-1.20.29.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:2, cpu:\"x86_64\", reference:\"libcurl4-32bit-7.19.7-1.20.29.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"curl-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, reference:\"libcurl4-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"s390x\", reference:\"libcurl4-32bit-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:3, cpu:\"x86_64\", reference:\"libcurl4-32bit-7.19.7-1.30.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-11-13T17:06:18", "references": ["https://bugzilla.novell.com/show_bug.cgi?id=849596", "https://lists.opensuse.org/opensuse-updates/2013-12/msg00047.html"], "pluginID": "75228", "description": "This update fixes the following security issues with curl :\n\n - fix CVE-2013-4545 (bnc#849596) = acknowledge VERIFYHOST without VERIFYPEER", "edition": 5, "reporter": "Tenable", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : curl (openSUSE-SU-2013:1859-1)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2018-11-10T00:00:00", "cpe": ["cpe:/o:novell:opensuse:12.3", "p-cpe:/a:novell:opensuse:curl-debuginfo", "p-cpe:/a:novell:opensuse:libcurl4-debuginfo-32bit", "p-cpe:/a:novell:opensuse:libcurl4", "p-cpe:/a:novell:opensuse:libcurl-devel", "p-cpe:/a:novell:opensuse:curl-debugsource", "p-cpe:/a:novell:opensuse:libcurl4-debuginfo", "cpe:/o:novell:opensuse:13.1", "cpe:/o:novell:opensuse:12.2", "p-cpe:/a:novell:opensuse:curl", "p-cpe:/a:novell:opensuse:libcurl4-32bit"], "id": "OPENSUSE-2013-964.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75228", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2013-964.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75228);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/10 11:50:01\");\n\n script_cve_id(\"CVE-2013-4545\");\n\n script_name(english:\"openSUSE Security Update : curl (openSUSE-SU-2013:1859-1)\");\n script_summary(english:\"Check for the openSUSE-2013-964 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes the following security issues with curl :\n\n - fix CVE-2013-4545 (bnc#849596) = acknowledge VERIFYHOST\n without VERIFYPEER\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=849596\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2013-12/msg00047.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected curl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:curl-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libcurl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libcurl4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libcurl4-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libcurl4-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libcurl4-debuginfo-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.2|SUSE12\\.3|SUSE13\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.2 / 12.3 / 13.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.2\", reference:\"curl-7.25.0-2.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"curl-debuginfo-7.25.0-2.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"curl-debugsource-7.25.0-2.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"libcurl-devel-7.25.0-2.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"libcurl4-7.25.0-2.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"libcurl4-debuginfo-7.25.0-2.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", cpu:\"x86_64\", reference:\"libcurl4-32bit-7.25.0-2.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", cpu:\"x86_64\", reference:\"libcurl4-debuginfo-32bit-7.25.0-2.20.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"curl-7.28.1-4.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"curl-debuginfo-7.28.1-4.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"curl-debugsource-7.28.1-4.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libcurl-devel-7.28.1-4.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libcurl4-7.28.1-4.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"libcurl4-debuginfo-7.28.1-4.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"libcurl4-32bit-7.28.1-4.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", cpu:\"x86_64\", reference:\"libcurl4-debuginfo-32bit-7.28.1-4.21.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"curl-7.32.0-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"curl-debuginfo-7.32.0-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"curl-debugsource-7.32.0-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libcurl-devel-7.32.0-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libcurl4-7.32.0-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", reference:\"libcurl4-debuginfo-7.32.0-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libcurl4-32bit-7.32.0-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.1\", cpu:\"x86_64\", reference:\"libcurl4-debuginfo-32bit-7.32.0-2.4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl / curl-debuginfo / curl-debugsource / libcurl-devel / etc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:33:17", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1031429", "http://www.nessus.org/u?84b1afad"], "pluginID": "71151", "description": "- Update to 7.33.0\n\n - Fixes CVE-2013-4545, RHBZ #1031429\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2013-12-02T00:00:00", "title": "Fedora 19 : mingw-curl-7.33.0-1.fc19 (2013-21887)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2015-10-19T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:19", "p-cpe:/a:fedoraproject:fedora:mingw-curl"], "id": "FEDORA_2013-21887.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=71151", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-21887.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71151);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 21:37:40 $\");\n\n script_cve_id(\"CVE-2013-4545\");\n script_bugtraq_id(63776);\n script_xref(name:\"FEDORA\", value:\"2013-21887\");\n\n script_name(english:\"Fedora 19 : mingw-curl-7.33.0-1.fc19 (2013-21887)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Update to 7.33.0\n\n - Fixes CVE-2013-4545, RHBZ #1031429\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1031429\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123009.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?84b1afad\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mingw-curl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mingw-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:19\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/12/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^19([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 19.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC19\", reference:\"mingw-curl-7.33.0-1.fc19\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mingw-curl\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:37:34", "references": ["https://bugzilla.novell.com/849596", "http://www.nessus.org/u?8d2eadf3", "http://www.nessus.org/u?1811f5a0", "http://support.novell.com/security/cve/CVE-2013-4545.html"], "pluginID": "83606", "description": "This update fixes the following security issues with curl :\n\n - bnc#849596: ssl cert checks with unclear behaviour (CVE-2013-4545)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 5, "reporter": "Tenable", "published": "2015-05-20T00:00:00", "title": "SUSE SLED11 / SLES11 Security Update : curl (SUSE-SU-2014:0004-1)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2018-07-31T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:curl", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:libcurl4"], "id": "SUSE_SU-2014-0004-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=83606", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2014:0004-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(83606);\n script_version(\"2.3\");\n script_cvs_date(\"Date: 2018/07/31 17:27:54\");\n\n script_cve_id(\"CVE-2013-4545\");\n script_bugtraq_id(63776);\n\n script_name(english:\"SUSE SLED11 / SLES11 Security Update : curl (SUSE-SU-2014:0004-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes the following security issues with curl :\n\n - bnc#849596: ssl cert checks with unclear behaviour\n (CVE-2013-4545)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n # http://download.suse.com/patch/finder/?keywords=6696ea7568dc85f57f47a079047688a4\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8d2eadf3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-4545.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/849596\"\n );\n # https://www.suse.com/support/update/announcement/2014/suse-su-20140004-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1811f5a0\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 11 SP3 :\n\nzypper in -t patch sdksp3-curl-8617\n\nSUSE Linux Enterprise Server 11 SP3 for VMware :\n\nzypper in -t patch slessp3-curl-8617\n\nSUSE Linux Enterprise Server 11 SP3 :\n\nzypper in -t patch slessp3-curl-8617\n\nSUSE Linux Enterprise Desktop 11 SP3 :\n\nzypper in -t patch sledsp3-curl-8617\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libcurl4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/01/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/05/20\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED11|SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED11 / SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! ereg(pattern:\"^3$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED11\" && (! ereg(pattern:\"^3$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED11 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"x86_64\", reference:\"libcurl4-32bit-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", cpu:\"s390x\", reference:\"libcurl4-32bit-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"curl-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"libcurl4-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"curl-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"libcurl4-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"libcurl4-32bit-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"curl-7.19.7-1.30.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"libcurl4-7.19.7-1.30.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:40:38", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1031429", "http://www.nessus.org/u?b81b48ab"], "pluginID": "71406", "description": "- Update to 7.33.0\n\n - Fixes CVE-2013-4545, RHBZ #1031429\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2013-12-14T00:00:00", "title": "Fedora 20 : mingw-curl-7.33.0-1.fc20 (2013-22046)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2015-10-19T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:20", "p-cpe:/a:fedoraproject:fedora:mingw-curl"], "id": "FEDORA_2013-22046.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=71406", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2013-22046.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71406);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 21:37:40 $\");\n\n script_cve_id(\"CVE-2013-4545\");\n script_bugtraq_id(63776);\n script_xref(name:\"FEDORA\", value:\"2013-22046\");\n\n script_name(english:\"Fedora 20 : mingw-curl-7.33.0-1.fc20 (2013-22046)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Update to 7.33.0\n\n - Fixes CVE-2013-4545, RHBZ #1031429\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1031429\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123676.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b81b48ab\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mingw-curl package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:mingw-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:20\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/11/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/12/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^20([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 20.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC20\", reference:\"mingw-curl-7.33.0-1.fc20\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mingw-curl\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-02T00:11:26", "references": [], "pluginID": "71244", "description": "Scott Cantor discovered that libcurl incorrectly verified CN and SAN name fields when digital signature verification was disabled. When libcurl is being used in this uncommon way by specific applications, an attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2013-12-06T00:00:00", "title": "Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 / 13.10 : curl vulnerability (USN-2048-1)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "naslFamily": "Ubuntu Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2016-05-25T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:13.10", "cpe:/o:canonical:ubuntu_linux:10.04:-:lts", "cpe:/o:canonical:ubuntu_linux:12.10", "p-cpe:/a:canonical:ubuntu_linux:libcurl3", "cpe:/o:canonical:ubuntu_linux:13.04", "cpe:/o:canonical:ubuntu_linux:12.04:-:lts"], "id": "UBUNTU_USN-2048-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=71244", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2048-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(71244);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2016/05/25 16:34:54 $\");\n\n script_cve_id(\"CVE-2013-4545\");\n script_bugtraq_id(63776);\n script_xref(name:\"USN\", value:\"2048-1\");\n\n script_name(english:\"Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 / 13.10 : curl vulnerability (USN-2048-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Scott Cantor discovered that libcurl incorrectly verified CN and SAN\nname fields when digital signature verification was disabled. When\nlibcurl is being used in this uncommon way by specific applications,\nan attacker could exploit this to perform a man in the middle attack\nto view sensitive information or alter encrypted communications.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected libcurl3 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libcurl3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:10.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:13.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:13.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/12/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/12/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2013-2016 Canonical, Inc. / NASL script (C) 2013-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(10\\.04|12\\.04|12\\.10|13\\.04|13\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 10.04 / 12.04 / 12.10 / 13.04 / 13.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"10.04\", pkgname:\"libcurl3\", pkgver:\"7.19.7-1ubuntu1.4\")) flag++;\nif (ubuntu_check(osver:\"12.04\", pkgname:\"libcurl3\", pkgver:\"7.22.0-3ubuntu4.4\")) flag++;\nif (ubuntu_check(osver:\"12.10\", pkgname:\"libcurl3\", pkgver:\"7.27.0-1ubuntu1.5\")) flag++;\nif (ubuntu_check(osver:\"13.04\", pkgname:\"libcurl3\", pkgver:\"7.29.0-1ubuntu3.3\")) flag++;\nif (ubuntu_check(osver:\"13.10\", pkgname:\"libcurl3\", pkgver:\"7.32.0-1ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libcurl3\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-11-16T16:49:38", "references": ["https://www.openssl.org/~bodo/ssl-poodle.pdf", "https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00", "https://www.imperialviolet.org/2014/10/14/poodle.html", "http://www.nessus.org/u?56618dc1"], "pluginID": "82902", "description": "The version of GlassFish Server running on the remote host is affected by multiple vulnerabilities :\n\n - A flaw exists in the bundled cURL and libcurl packages.\n The certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) is disabled when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled. This allows a man-in-the-middle attacker to spoof SSL servers via an arbitrary valid certificate.\n (CVE-2013-4545)\n\n - A flaw exists in the bundled Network Security Services (NSS) library due to improper parsing of ASN.1 values in X.509 certificates. This allows a man-in-the-middle attacker to spoof RSA signatures via a crafted certificate. (CVE-2014-1568)\n\n - A man-in-the-middle (MitM) information disclosure vulnerability known as POODLE. The vulnerability is due to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. MitM attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. (CVE-2014-3566)", "edition": 8, "reporter": "Tenable", "published": "2015-04-20T00:00:00", "title": "Oracle GlassFish Server Multiple Vulnerabilities (April 2015 CPU) (POODLE)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Web Servers", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3566", "CVE-2014-1568", "CVE-2013-4545"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/a:oracle:glassfish_server"], "id": "GLASSFISH_CPU_APR_2015.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=82902", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(82902);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n\n script_cve_id(\n \"CVE-2013-4545\",\n \"CVE-2014-1568\",\n \"CVE-2014-3566\"\n );\n script_bugtraq_id(\n 63776,\n 70116,\n 70574\n );\n script_xref(name:\"CERT\", value:\"577193\");\n script_xref(name:\"CERT\", value:\"772676\");\n\n script_name(english:\"Oracle GlassFish Server Multiple Vulnerabilities (April 2015 CPU) (POODLE)\");\n script_summary(english:\"Checks the version of Oracle GlassFish.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of GlassFish Server running on the remote host is affected\nby multiple vulnerabilities :\n\n - A flaw exists in the bundled cURL and libcurl packages.\n The certificate CN and SAN name field verification\n (CURLOPT_SSL_VERIFYHOST) is disabled when the digital\n signature verification (CURLOPT_SSL_VERIFYPEER) is\n disabled. This allows a man-in-the-middle attacker to\n spoof SSL servers via an arbitrary valid certificate.\n (CVE-2013-4545)\n\n - A flaw exists in the bundled Network Security Services\n (NSS) library due to improper parsing of ASN.1 values in\n X.509 certificates. This allows a man-in-the-middle \n attacker to spoof RSA signatures via a crafted\n certificate. (CVE-2014-1568)\n\n - A man-in-the-middle (MitM) information disclosure\n vulnerability known as POODLE. The vulnerability is due\n to the way SSL 3.0 handles padding bytes when decrypting\n messages encrypted using block ciphers in cipher block\n chaining (CBC) mode. MitM attackers can decrypt a\n selected byte of a cipher text in as few as 256 tries if\n they are able to force a victim application to\n repeatedly send the same data over newly created SSL 3.0\n connections. (CVE-2014-3566)\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to GlassFish Server 2.1.1.25 / 3.0.1.11 / 3.1.2.11 or later as\nreferenced in the April 2015 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n # http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56618dc1\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.imperialviolet.org/2014/10/14/poodle.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openssl.org/~bodo/ssl-poodle.pdf\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/10/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:glassfish_server\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"glassfish_detect.nasl\");\n script_require_keys(\"www/glassfish\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\ninclude(\"glassfish.inc\");\n\n#\n# Main\n#\n\n# Check for GlassFish\nget_kb_item_or_exit('www/glassfish');\n\nport = get_glassfish_port(default:8080);\n\n# Get the version number out of the KB.\nver = get_kb_item_or_exit(\"www/\" + port + \"/glassfish/version\");\nbanner = get_kb_item_or_exit(\"www/\" + port + \"/glassfish/source\");\npristine = get_kb_item_or_exit(\"www/\" + port + \"/glassfish/version/pristine\");\n\n# Set appropriate fixed versions.\nif (ver =~ \"^2\\.1\\.1\") fix = \"2.1.1.25\";\nelse if (ver =~ \"^3\\.0\\.1\") fix = \"3.0.1.11\";\nelse if (ver =~ \"^3\\.1\\.2\") fix = \"3.1.2.11\";\nelse fix = NULL;\n\nif (!isnull(fix) && ver_compare(ver:ver, fix:fix, strict:FALSE) < 0)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Version source : ' + banner +\n '\\n Installed version : ' + pristine +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"Oracle GlassFish\", port, pristine);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-17T03:07:35", "references": ["http://www.nessus.org/u?696735e3", "https://blogs.oracle.com/sunsecurity/cve-2013-2174-buffer-errors-vulnerability-in-libcurl", "http://www.nessus.org/u?4a913f44", "http://www.nessus.org/u?34569292", "http://www.nessus.org/u?329ec411"], "pluginID": "80662", "description": "The remote Solaris system is missing necessary patches to address security updates :\n\n - The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. (CVE-2013-1944)\n\n - Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a '%' (percent) character. (CVE-2013-2174)\n\n - cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.\n (CVE-2013-4545)\n\n - cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.\n (CVE-2014-0015)", "edition": 5, "reporter": "Tenable", "published": "2015-01-19T00:00:00", "title": "Oracle Solaris Third-Party Patch Update : libcurl (cve_2013_1944_information_disclosure)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Solaris Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1944", "CVE-2014-0015", "CVE-2013-2174", "CVE-2013-4545"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:oracle:solaris:11.1", "p-cpe:/a:oracle:solaris:libcurl"], "id": "SOLARIS11_LIBCURL_20140415.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=80662", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle Third Party software advisories.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80662);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n\n script_cve_id(\"CVE-2013-1944\", \"CVE-2013-2174\", \"CVE-2013-4545\", \"CVE-2014-0015\");\n\n script_name(english:\"Oracle Solaris Third-Party Patch Update : libcurl (cve_2013_1944_information_disclosure)\");\n script_summary(english:\"Check for the 'entire' version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Solaris system is missing a security patch for third-party\nsoftware.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote Solaris system is missing necessary patches to address\nsecurity updates :\n\n - The tailMatch function in cookie.c in cURL and libcurl\n before 7.30.0 does not properly match the path domain\n when sending cookies, which allows remote attackers to\n steal cookies via a matching suffix in the domain of a\n URL. (CVE-2013-1944)\n\n - Heap-based buffer overflow in the curl_easy_unescape\n function in lib/escape.c in cURL and libcurl 7.7 through\n 7.30.0 allows remote attackers to cause a denial of\n service (application crash) or possibly execute\n arbitrary code via a crafted string ending in a '%'\n (percent) character. (CVE-2013-2174)\n\n - cURL and libcurl 7.18.0 through 7.32.0, when built with\n OpenSSL, disables the certificate CN and SAN name field\n verification (CURLOPT_SSL_VERIFYHOST) when the digital\n signature verification (CURLOPT_SSL_VERIFYPEER) is\n disabled, which allows man-in-the-middle attackers to\n spoof SSL servers via an arbitrary valid certificate.\n (CVE-2013-4545)\n\n - cURL and libcurl 7.10.6 through 7.34.0, when more than\n one authentication method is enabled, re-uses NTLM\n connections, which might allow context-dependent\n attackers to authenticate as other users via a request.\n (CVE-2014-0015)\"\n );\n # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4a913f44\"\n );\n # https://blogs.oracle.com/sunsecurity/cve-2013-1944-information-disclosure-vulnerability-in-libcurl\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?696735e3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://blogs.oracle.com/sunsecurity/cve-2013-2174-buffer-errors-vulnerability-in-libcurl\"\n );\n # https://blogs.oracle.com/sunsecurity/cve-2013-4545-cryptographic-issues-vulnerability-in-libcurl\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?34569292\"\n );\n # https://blogs.oracle.com/sunsecurity/cve-2014-0015-authentication-issues-vulnerability-in-libcurl\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?329ec411\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Solaris 11.1.18.5.0.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:libcurl\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/04/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/01/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\", \"Host/Solaris11/pkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\npkg_list = solaris_pkg_list_leaves();\nif (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, \"Solaris pkg-list packages\");\n\nif (empty_or_null(egrep(string:pkg_list, pattern:\"^libcurl$\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libcurl\");\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.1.18.0.5.0\", sru:\"SRU 11.1.18.5.0\") > 0) flag++;\n\nif (flag)\n{\n error_extra = 'Affected package : libcurl\\n' + solaris_get_report2();\n error_extra = ereg_replace(pattern:\"version\", replace:\"OS version\", string:error_extra);\n if (report_verbosity > 0) security_warning(port:0, extra:error_extra);\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_PACKAGE_NOT_AFFECTED, \"libcurl\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-09-01T23:57:55", "references": ["http://www.debian.org/security/2013/dsa-2798.html"], "pluginID": "1361412562310892798", "description": "Scott Cantor discovered that curl, a file retrieval tool, would disable\nthe CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting\nwas disabled. This would also disable ssl certificate host name checks\nwhen it should have only disabled verification of the certificate trust\nchain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.", "edition": 3, "reporter": "Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net", "published": "2013-11-17T00:00:00", "title": "Debian Security Advisory DSA 2798-1 (curl - unchecked ssl certificate host name)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310892798", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892798", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2798.nasl 9353 2018-04-06 07:14:20Z cfischer $\n# Auto-generated from advisory DSA 2798-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"curl on Debian Linux\";\ntag_insight = \"curl is a client to get files from servers using any of the supported\nprotocols. The command is designed to work without user interaction\nor any kind of interactivity.\";\ntag_solution = \"For the oldstable distribution (squeeze), this problem has been fixed in\nversion 7.21.0-2.1+squeeze5.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 7.26.0-1+wheezy5.\n\nFor the testing (jessie) and unstable (sid) distributions, this problem\nhas been fixed in version 7.33.0-1.\n\nWe recommend that you upgrade your curl packages.\";\ntag_summary = \"Scott Cantor discovered that curl, a file retrieval tool, would disable\nthe CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting\nwas disabled. This would also disable ssl certificate host name checks\nwhen it should have only disabled verification of the certificate trust\nchain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.\";\ntag_vuldetect = \"This check tests the installed software version using the apt package manager.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892798\");\n script_version(\"$Revision: 9353 $\");\n script_cve_id(\"CVE-2013-4545\");\n script_name(\"Debian Security Advisory DSA 2798-1 (curl - unchecked ssl certificate host name)\");\n script_tag(name: \"last_modification\", value:\"$Date: 2018-04-06 09:14:20 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name: \"creation_date\", value:\"2013-11-17 00:00:00 +0100 (Sun, 17 Nov 2013)\");\n script_tag(name: \"cvss_base\", value:\"4.3\");\n script_tag(name: \"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2013/dsa-2798.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: tag_affected);\n script_tag(name: \"insight\", value: tag_insight);\n# script_tag(name: \"impact\", value: tag_impact);\n script_tag(name: \"solution\", value: tag_solution);\n script_tag(name: \"summary\", value: tag_summary);\n script_tag(name: \"vuldetect\", value: tag_vuldetect);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"curl\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-dbg\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-gnutls\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-gnutls-dev\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-openssl-dev\", ver:\"7.21.0-2.1+squeeze5\", rls:\"DEB6.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"curl\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-dbg\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-gnutls\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl3-nss\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-gnutls-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-nss-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcurl4-openssl-dev\", ver:\"7.26.0-1+wheezy5\", rls:\"DEB7.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-26T11:09:48", "references": ["2048-1", "http://www.ubuntu.com/usn/usn-2048-1/"], "pluginID": "841658", "description": "Check for the Version of curl", "edition": 4, "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "published": "2013-12-17T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Ubuntu Update for curl USN-2048-1", "type": "openvas", "naslFamily": "Ubuntu Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2018-01-26T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=841658", "id": "OPENVAS:841658", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2048_1.nasl 8542 2018-01-26 06:57:28Z teissa $\n#\n# Ubuntu Update for curl USN-2048-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(841658);\n script_version(\"$Revision: 8542 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-26 07:57:28 +0100 (Fri, 26 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-17 12:10:02 +0530 (Tue, 17 Dec 2013)\");\n script_cve_id(\"CVE-2013-4545\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Ubuntu Update for curl USN-2048-1\");\n\n tag_insight = \"Scott Cantor discovered that libcurl incorrectly verified CN\nand SAN name fields when digital signature verification was disabled. When\nlibcurl is being used in this uncommon way by specific applications, an\nattacker could exploit this to perform a man in the middle attack to view\nsensitive information or alter encrypted communications.\";\n\n tag_affected = \"curl on Ubuntu 13.10 ,\n Ubuntu 13.04 ,\n Ubuntu 12.10 ,\n Ubuntu 12.04 LTS ,\n Ubuntu 10.04 LTS\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"USN\", value: \"2048-1\");\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-2048-1/\");\n script_tag(name: \"summary\" , value: \"Check for the Version of curl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.27.0-1ubuntu1.5\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.22.0-3ubuntu4.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.19.7-1ubuntu1.4\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU13.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3:i386\", ver:\"7.32.0-1ubuntu1.1\", rls:\"UBUNTU13.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU13.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3:i386\", ver:\"7.29.0-1ubuntu3.3\", rls:\"UBUNTU13.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:53:32", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123676.html", "2013-22046"], "pluginID": "1361412562310867302", "description": "Check for the Version of mingw-curl", "edition": 4, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-02-05T00:00:00", "title": "Fedora Update for mingw-curl FEDORA-2013-22046", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310867302", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867302", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-curl FEDORA-2013-22046\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867302\");\n script_version(\"$Revision: 9373 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:57:18 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-05 10:31:09 +0530 (Wed, 05 Feb 2014)\");\n script_cve_id(\"CVE-2013-4545\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Fedora Update for mingw-curl FEDORA-2013-22046\");\n\n tag_insight = \"cURL is a tool for getting files from HTTP, FTP, FILE, LDAP, LDAPS,\nDICT, TELNET and TFTP servers, using any of the supported protocols.\ncURL is designed to work without user interaction or any kind of\ninteractivity. cURL offers many useful capabilities, like proxy\nsupport, user authentication, FTP upload, HTTP post, and file transfer\nresume.\n\nThis is the MinGW cross-compiled Windows library.\n\";\n\n tag_affected = \"mingw-curl on Fedora 20\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-22046\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123676.html\");\n script_tag(name:\"summary\", value:\"Check for the Version of mingw-curl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-curl\", rpm:\"mingw-curl~7.33.0~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:55:49", "references": ["2013-21887", "https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123009.html"], "pluginID": "1361412562310867097", "description": "Check for the Version of mingw-curl", "edition": 4, "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "published": "2013-12-03T00:00:00", "title": "Fedora Update for mingw-curl FEDORA-2013-21887", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310867097", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867097", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-curl FEDORA-2013-21887\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867097\");\n script_version(\"$Revision: 9372 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:56:37 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-03 14:45:21 +0530 (Tue, 03 Dec 2013)\");\n script_cve_id(\"CVE-2013-4545\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Fedora Update for mingw-curl FEDORA-2013-21887\");\n\n tag_insight = \"cURL is a tool for getting files from HTTP, FTP, FILE, LDAP, LDAPS,\nDICT, TELNET and TFTP servers, using any of the supported protocols.\ncURL is designed to work without user interaction or any kind of\ninteractivity. cURL offers many useful capabilities, like proxy\nsupport, user authentication, FTP upload, HTTP post, and file transfer\nresume.\n\nThis is the MinGW cross-compiled Windows library.\n\";\n\n tag_affected = \"mingw-curl on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-21887\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123009.html\");\n script_tag(name:\"summary\", value:\"Check for the Version of mingw-curl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-curl\", rpm:\"mingw-curl~7.33.0~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-11-19T13:04:29", "references": ["2048-1", "http://www.ubuntu.com/usn/usn-2048-1/"], "pluginID": "1361412562310841658", "description": "The remote host is missing an update for the ", "edition": 6, "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "published": "2013-12-17T00:00:00", "title": "Ubuntu Update for curl USN-2048-1", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Ubuntu Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2018-11-16T00:00:00", "id": "OPENVAS:1361412562310841658", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841658", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_2048_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# Ubuntu Update for curl USN-2048-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.841658\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-17 12:10:02 +0530 (Tue, 17 Dec 2013)\");\n script_cve_id(\"CVE-2013-4545\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Ubuntu Update for curl USN-2048-1\");\n\n\n script_tag(name:\"affected\", value:\"curl on Ubuntu 13.10,\n Ubuntu 13.04,\n Ubuntu 12.10,\n Ubuntu 12.04 LTS,\n Ubuntu 10.04 LTS\");\n script_tag(name:\"insight\", value:\"Scott Cantor discovered that libcurl incorrectly verified CN\nand SAN name fields when digital signature verification was disabled. When\nlibcurl is being used in this uncommon way by specific applications, an\nattacker could exploit this to perform a man in the middle attack to view\nsensitive information or alter encrypted communications.\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"USN\", value:\"2048-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2048-1/\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'curl'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(12\\.10|12\\.04 LTS|10\\.04 LTS|13\\.10|13\\.04)\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU12.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.27.0-1ubuntu1.5\", rls:\"UBUNTU12.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.22.0-3ubuntu4.4\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU10.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3\", ver:\"7.19.7-1ubuntu1.4\", rls:\"UBUNTU10.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU13.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3:i386\", ver:\"7.32.0-1ubuntu1.1\", rls:\"UBUNTU13.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU13.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libcurl3:i386\", ver:\"7.29.0-1ubuntu3.3\", rls:\"UBUNTU13.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:48:49", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123676.html", "2013-22046"], "pluginID": "867302", "description": "Check for the Version of mingw-curl", "edition": 2, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-02-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Fedora Update for mingw-curl FEDORA-2013-22046", "type": "openvas", "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2017-07-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867302", "id": "OPENVAS:867302", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-curl FEDORA-2013-22046\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867302);\n script_version(\"$Revision: 6629 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:33:41 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2014-02-05 10:31:09 +0530 (Wed, 05 Feb 2014)\");\n script_cve_id(\"CVE-2013-4545\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Fedora Update for mingw-curl FEDORA-2013-22046\");\n\n tag_insight = \"cURL is a tool for getting files from HTTP, FTP, FILE, LDAP, LDAPS,\nDICT, TELNET and TFTP servers, using any of the supported protocols.\ncURL is designed to work without user interaction or any kind of\ninteractivity. cURL offers many useful capabilities, like proxy\nsupport, user authentication, FTP upload, HTTP post, and file transfer\nresume.\n\nThis is the MinGW cross-compiled Windows library.\n\";\n\n tag_affected = \"mingw-curl on Fedora 20\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-22046\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123676.html\");\n script_summary(\"Check for the Version of mingw-curl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-curl\", rpm:\"mingw-curl~7.33.0~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-25T10:52:08", "references": ["2013-21887", "https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123009.html"], "pluginID": "867097", "description": "Check for the Version of mingw-curl", "edition": 2, "reporter": "Copyright (C) 2013 Greenbone Networks GmbH", "published": "2013-12-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Fedora Update for mingw-curl FEDORA-2013-21887", "type": "openvas", "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-4545"], "modified": "2017-07-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=867097", "id": "OPENVAS:867097", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-curl FEDORA-2013-21887\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_id(867097);\n script_version(\"$Revision: 6628 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:32:47 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-12-03 14:45:21 +0530 (Tue, 03 Dec 2013)\");\n script_cve_id(\"CVE-2013-4545\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_name(\"Fedora Update for mingw-curl FEDORA-2013-21887\");\n\n tag_insight = \"cURL is a tool for getting files from HTTP, FTP, FILE, LDAP, LDAPS,\nDICT, TELNET and TFTP servers, using any of the supported protocols.\ncURL is designed to work without user interaction or any kind of\ninteractivity. cURL offers many useful capabilities, like proxy\nsupport, user authentication, FTP upload, HTTP post, and file transfer\nresume.\n\nThis is the MinGW cross-compiled Windows library.\n\";\n\n tag_affected = \"mingw-curl on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2013-21887\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2013-December/123009.html\");\n script_summary(\"Check for the Version of mingw-curl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-curl\", rpm:\"mingw-curl~7.33.0~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:54:49", "references": ["2014-6912", "https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134033.html"], "pluginID": "1361412562310867880", "description": "Check for the Version of mingw-curl", "edition": 5, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-06-17T00:00:00", "title": "Fedora Update for mingw-curl FEDORA-2014-6912", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0139", "CVE-2014-0138", "CVE-2013-4545"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310867880", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867880", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-curl FEDORA-2014-6912\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867880\");\n script_version(\"$Revision: 9373 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:57:18 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-06-17 09:56:00 +0530 (Tue, 17 Jun 2014)\");\n script_cve_id(\"CVE-2014-0138\", \"CVE-2014-0139\", \"CVE-2013-4545\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_name(\"Fedora Update for mingw-curl FEDORA-2014-6912\");\n\n tag_insight = \"cURL is a tool for getting files from HTTP, FTP, FILE, LDAP, LDAPS,\nDICT, TELNET and TFTP servers, using any of the supported protocols.\ncURL is designed to work without user interaction or any kind of\ninteractivity. cURL offers many useful capabilities, like proxy\nsupport, user authentication, FTP upload, HTTP post, and file transfer\nresume.\n\nThis is the MinGW cross-compiled Windows library.\n\";\n\n tag_affected = \"mingw-curl on Fedora 20\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-6912\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134033.html\");\n script_tag(name:\"summary\", value:\"Check for the Version of mingw-curl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-curl\", rpm:\"mingw-curl~7.37.0~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:54:32", "references": ["2014-6921", "https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134187.html"], "pluginID": "1361412562310867890", "description": "Check for the Version of mingw-curl", "edition": 5, "reporter": "Copyright (C) 2014 Greenbone Networks GmbH", "published": "2014-06-17T00:00:00", "title": "Fedora Update for mingw-curl FEDORA-2014-6921", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-0139", "CVE-2014-0138", "CVE-2013-4545"], "modified": "2018-04-06T00:00:00", "id": "OPENVAS:1361412562310867890", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310867890", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-curl FEDORA-2014-6921\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.867890\");\n script_version(\"$Revision: 9373 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:57:18 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-06-17 10:00:44 +0530 (Tue, 17 Jun 2014)\");\n script_cve_id(\"CVE-2014-0138\", \"CVE-2014-0139\", \"CVE-2013-4545\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_name(\"Fedora Update for mingw-curl FEDORA-2014-6921\");\n\n tag_insight = \"cURL is a tool for getting files from HTTP, FTP, FILE, LDAP, LDAPS,\nDICT, TELNET and TFTP servers, using any of the supported protocols.\ncURL is designed to work without user interaction or any kind of\ninteractivity. cURL offers many useful capabilities, like proxy\nsupport, user authentication, FTP upload, HTTP post, and file transfer\nresume.\n\nThis is the MinGW cross-compiled Windows library.\n\";\n\n tag_affected = \"mingw-curl on Fedora 19\";\n\n tag_solution = \"Please Install the Updated Packages.\";\n\n\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name: \"FEDORA\", value: \"2014-6921\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134187.html\");\n script_tag(name:\"summary\", value:\"Check for the Version of mingw-curl\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC19\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-curl\", rpm:\"mingw-curl~7.37.0~1.fc19\", rls:\"FC19\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:50:54", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147351.html", "2014-17596"], "pluginID": "1361412562310868649", "description": "Check the version of mingw-curl", "edition": 5, "reporter": "Copyright (C) 2015 Greenbone Networks GmbH", "published": "2015-01-05T00:00:00", "title": "Fedora Update for mingw-curl FEDORA-2014-17596", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-3613", "CVE-2014-0139", "CVE-2014-3707", "CVE-2014-3620", "CVE-2014-0138", "CVE-2013-4545"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310868649", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310868649", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for mingw-curl FEDORA-2014-17596\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.868649\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-05 14:38:42 +0100 (Mon, 05 Jan 2015)\");\n script_cve_id(\"CVE-2014-3707\", \"CVE-2014-3620\", \"CVE-2014-3613\", \"CVE-2014-0138\",\n \"CVE-2014-0139\", \"CVE-2013-4545\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_name(\"Fedora Update for mingw-curl FEDORA-2014-17596\");\n script_tag(name: \"summary\", value: \"Check the version of mingw-curl\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"cURL is a tool for getting files from HTTP, FTP, FILE, LDAP, LDAPS,\nDICT, TELNET and TFTP servers, using any of the supported protocols.\ncURL is designed to work without user interaction or any kind of\ninteractivity. cURL offers many useful capabilities, like proxy\nsupport, user authentication, FTP upload, HTTP post, and file transfer\nresume.\n\nThis is the MinGW cross-compiled Windows library.\n\");\n script_tag(name: \"affected\", value: \"mingw-curl on Fedora 20\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2014-17596\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147351.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC20\")\n{\n\n if ((res = isrpmvuln(pkg:\"mingw-curl\", rpm:\"mingw-curl~7.39.0~1.fc20\", rls:\"FC20\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "debian": [{"lastseen": "2018-10-18T13:49:57", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze5", "arch": "all", "packageFilename": "libcurl3_7.21.0-2.1+squeeze5_all.deb", "packageName": "libcurl3", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze5", "arch": "all", "packageFilename": "libcurl3-gnutls_7.21.0-2.1+squeeze5_all.deb", "packageName": "libcurl3-gnutls", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze5", "arch": "all", "packageFilename": "libcurl4-gnutls-dev_7.21.0-2.1+squeeze5_all.deb", "packageName": "libcurl4-gnutls-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze5", "arch": "all", "packageFilename": "libcurl4-openssl-dev_7.21.0-2.1+squeeze5_all.deb", "packageName": "libcurl4-openssl-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze5", "arch": "all", "packageFilename": "libcurl3-dbg_7.21.0-2.1+squeeze5_all.deb", "packageName": "libcurl3-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze5", "arch": "all", "packageFilename": "curl_7.21.0-2.1+squeeze5_all.deb", "packageName": "curl", "operator": "lt"}, {"OS": "Debian", "OSVersion": "7", "packageVersion": "7.26.0-1+wheezy5", "arch": "all", "packageFilename": "curl_7.26.0-1+wheezy5_all.deb", "packageName": "curl", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2798-1 security@debian.org\nhttp://www.debian.org/security/ Michael Gilbert\nNovember 17, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : curl\nVulnerability : unchecked ssl certificate host name\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2013-4545\n\nScott Cantor discovered that curl, a file retrieval tool, would disable\nthe CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting\nwas disabled. This would also disable ssl certificate host name checks\nwhen it should have only disabled verification of the certificate trust\nchain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in\nversion 7.21.0-2.1+squeeze5.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 7.26.0-1+wheezy5.\n\nFor the testing (jessie) and unstable (sid) distributions, this problem\nhas been fixed in version 7.33.0-1.\n\nWe recommend that you upgrade your curl packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2013-11-17T18:32:51", "title": "[SECURITY] [DSA 2798-1] curl security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:49:57", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4545"], "modified": "2013-11-17T18:32:51", "id": "DEBIAN:DSA-2798-1:7716A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00212.html", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-18T13:48:22", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "7", "packageVersion": "7.26.0-1+wheezy6", "arch": "all", "packageFilename": "curl_7.26.0-1+wheezy6_all.deb", "packageName": "curl", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze5", "arch": "all", "packageFilename": "libcurl3_7.21.0-2.1+squeeze5_all.deb", "packageName": "libcurl3", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze5", "arch": "all", "packageFilename": "libcurl3-gnutls_7.21.0-2.1+squeeze5_all.deb", "packageName": "libcurl3-gnutls", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze5", "arch": "all", "packageFilename": "libcurl4-gnutls-dev_7.21.0-2.1+squeeze5_all.deb", "packageName": "libcurl4-gnutls-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze5", "arch": "all", "packageFilename": "libcurl4-openssl-dev_7.21.0-2.1+squeeze5_all.deb", "packageName": "libcurl4-openssl-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "7.33.0-1", "arch": "all", "packageFilename": "libcurl3-nss_7.33.0-1_all.deb", "packageName": "libcurl3-nss", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "7.33.0-1", "arch": "all", "packageFilename": "libcurl4-openssl-dev_7.33.0-1_all.deb", "packageName": "libcurl4-openssl-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "7.33.0-1", "arch": "all", "packageFilename": "libcurl4-doc_7.33.0-1_all.deb", "packageName": "libcurl4-doc", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze6", "arch": "all", "packageFilename": "curl_7.21.0-2.1+squeeze6_all.deb", "packageName": "curl", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze6", "arch": "all", "packageFilename": "libcurl4-openssl-dev_7.21.0-2.1+squeeze6_all.deb", "packageName": "libcurl4-openssl-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze6", "arch": "all", "packageFilename": "libcurl3-gnutls_7.21.0-2.1+squeeze6_all.deb", "packageName": "libcurl3-gnutls", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze5", "arch": "all", "packageFilename": "libcurl3-dbg_7.21.0-2.1+squeeze5_all.deb", "packageName": "libcurl3-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze6", "arch": "all", "packageFilename": "libcurl4-gnutls-dev_7.21.0-2.1+squeeze6_all.deb", "packageName": "libcurl4-gnutls-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "7.33.0-1", "arch": "all", "packageFilename": "libcurl4-nss-dev_7.33.0-1_all.deb", "packageName": "libcurl4-nss-dev", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze5", "arch": "all", "packageFilename": "curl_7.21.0-2.1+squeeze5_all.deb", "packageName": "curl", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze6", "arch": "all", "packageFilename": "libcurl3_7.21.0-2.1+squeeze6_all.deb", "packageName": "libcurl3", "operator": "lt"}, {"OS": "Debian", "OSVersion": "6", "packageVersion": "7.21.0-2.1+squeeze6", "arch": "all", "packageFilename": "libcurl3-dbg_7.21.0-2.1+squeeze6_all.deb", "packageName": "libcurl3-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "7.33.0-1", "arch": "all", "packageFilename": "libcurl3_7.33.0-1_all.deb", "packageName": "libcurl3", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "7.33.0-1", "arch": "all", "packageFilename": "libcurl3-dbg_7.33.0-1_all.deb", "packageName": "libcurl3-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "7.33.0-1", "arch": "all", "packageFilename": "libcurl3-gnutls_7.33.0-1_all.deb", "packageName": "libcurl3-gnutls", "operator": "lt"}, {"OS": "Debian", "OSVersion": "7", "packageVersion": "7.26.0-1+wheezy5", "arch": "all", "packageFilename": "curl_7.26.0-1+wheezy5_all.deb", "packageName": "curl", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "7.33.0-1", "arch": "all", "packageFilename": "curl_7.33.0-1_all.deb", "packageName": "curl", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "7.33.0-1", "arch": "all", "packageFilename": "libcurl4-gnutls-dev_7.33.0-1_all.deb", "packageName": "libcurl4-gnutls-dev", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-2798-2 security@debian.org\nhttp://www.debian.org/security/ Salvatore Bonaccorso\nNovember 20, 2013 http://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : curl\nVulnerability : unchecked ssl certificate host name\nProblem type : remote\nDebian-specific: no\nCVE ID : CVE-2013-4545\n\nThe update for curl in DSA-2798-1 uncovered a regression affecting the\ncurl command line tool behaviour (#729965). This update disables host\nverification too when using the --insecure option.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in\nversion 7.21.0-2.1+squeeze6.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 7.26.0-1+wheezy6.\n\nFor the testing (jessie) and unstable (sid) distributions, the curl\ncommand line tool behaves as expected with the --insecure option.\n\nFor reference the original advisory text follows.\n\nScott Cantor discovered that curl, a file retrieval tool, would disable\nthe CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting\nwas disabled. This would also disable ssl certificate host name checks\nwhen it should have only disabled verification of the certificate trust\nchain.\n\nThe default configuration for the curl package is not affected by this\nissue since CURLOPT_SSLVERIFYPEER is enabled by default.\n\nFor the oldstable distribution (squeeze), this problem has been fixed in\nversion 7.21.0-2.1+squeeze5.\n\nFor the stable distribution (wheezy), this problem has been fixed in\nversion 7.26.0-1+wheezy5.\n\nFor the testing (jessie) and unstable (sid) distributions, this problem\nhas been fixed in version 7.33.0-1.\n\nWe recommend that you upgrade your curl packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: http://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 2, "reporter": "Debian", "published": "2013-11-20T22:17:13", "title": "[SECURITY] [DSA 2798-2] curl security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:48:22", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4545"], "modified": "2013-11-20T22:17:13", "id": "DEBIAN:DSA-2798-2:B3298", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2013/msg00213.html", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:09:06", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2013-4545"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "13.04", "packageVersion": "7.29.0-1ubuntu3.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libcurl3", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.10", "packageVersion": "7.27.0-1ubuntu1.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libcurl3", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "13.10", "packageVersion": "7.32.0-1ubuntu1.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libcurl3", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "7.22.0-3ubuntu4.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libcurl3", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "7.19.7-1ubuntu1.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libcurl3", "operator": "lt"}], "description": "Scott Cantor discovered that libcurl incorrectly verified CN and SAN name fields when digital signature verification was disabled. When libcurl is being used in this uncommon way by specific applications, an attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications.", "edition": 3, "reporter": "Ubuntu", "published": "2013-12-05T00:00:00", "title": "curl vulnerability", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2013-4545"], "modified": "2013-12-05T00:00:00", "id": "USN-2048-1", "href": "https://usn.ubuntu.com/2048-1/", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:49", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n _______________________________________________________________________\r\n\r\n Mandriva Linux Security Advisory MDVSA-2013:276\r\n http://www.mandriva.com/en/support/security/\r\n _______________________________________________________________________\r\n\r\n Package : curl\r\n Date : November 21, 2013\r\n Affected: Business Server 1.0, Enterprise Server 5.0\r\n _______________________________________________________________________\r\n\r\n Problem Description:\r\n\r\n Updated curl packages fix security vulnerability:\r\n \r\n Scott Cantor discovered that curl, a file retrieval tool, would disable\r\n the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER\r\n setting was disabled. This would also disable ssl certificate host\r\n name checks when it should have only disabled verification of the\r\n certificate trust chain &#40;CVE-2013-4545&#41;.\r\n _______________________________________________________________________\r\n\r\n References:\r\n\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545\r\n http://advisories.mageia.org/MGASA-2013-0338.html\r\n _______________________________________________________________________\r\n\r\n Updated Packages:\r\n\r\n Mandriva Enterprise Server 5:\r\n 8f84022018a0be9caba70cc8cf6b98d1 mes5/i586/curl-7.19.0-2.8mdvmes5.2.i586.rpm\r\n e86ae32c140ab086117a626b1dc4247c mes5/i586/curl-examples-7.19.0-2.8mdvmes5.2.i586.rpm\r\n af24903c9f5de553fb3608bd58218f24 mes5/i586/libcurl4-7.19.0-2.8mdvmes5.2.i586.rpm\r\n bf050fb57bfcdf91bb8b60f3b0c0e25f mes5/i586/libcurl-devel-7.19.0-2.8mdvmes5.2.i586.rpm \r\n dfb61d68c4c646ab7bd0a9d3a1c39469 mes5/SRPMS/curl-7.19.0-2.8mdvmes5.2.src.rpm\r\n\r\n Mandriva Enterprise Server 5/X86_64:\r\n 4ccbd52d83d96e492d15463f39e4592e mes5/x86_64/curl-7.19.0-2.8mdvmes5.2.x86_64.rpm\r\n 9c4dd21c21347ef24faa736eec23f8d1 mes5/x86_64/curl-examples-7.19.0-2.8mdvmes5.2.x86_64.rpm\r\n 1ec84b9e08af585ec52115c780f8f7ad mes5/x86_64/lib64curl4-7.19.0-2.8mdvmes5.2.x86_64.rpm\r\n d9ca888f8a41efdbed7413c08b0a3c6c mes5/x86_64/lib64curl-devel-7.19.0-2.8mdvmes5.2.x86_64.rpm \r\n dfb61d68c4c646ab7bd0a9d3a1c39469 mes5/SRPMS/curl-7.19.0-2.8mdvmes5.2.src.rpm\r\n\r\n Mandriva Business Server 1/X86_64:\r\n 1c6d38ad16cfbbd7c08ac4db92c3c322 mbs1/x86_64/curl-7.24.0-2.3.mbs1.x86_64.rpm\r\n 47944d2322c89eb7e167ff2cfaaa0c21 mbs1/x86_64/curl-examples-7.24.0-2.3.mbs1.x86_64.rpm\r\n 6b2c3b949347f726bb1a68700d3de178 mbs1/x86_64/lib64curl4-7.24.0-2.3.mbs1.x86_64.rpm\r\n 1b2449e78f76b8af262fa990317cc6f4 mbs1/x86_64/lib64curl-devel-7.24.0-2.3.mbs1.x86_64.rpm \r\n 5158e7b7a60bad696d90178ec462c6a0 mbs1/SRPMS/curl-7.24.0-2.3.mbs1.src.rpm\r\n _______________________________________________________________________\r\n\r\n To upgrade automatically use MandrivaUpdate or urpmi. The verification\r\n of md5 checksums and GPG signatures is performed automatically for you.\r\n\r\n All packages are signed by Mandriva for security. You can obtain the\r\n GPG public key of the Mandriva Security Team by executing:\r\n\r\n gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98\r\n\r\n You can view other update advisories for Mandriva Linux at:\r\n\r\n http://www.mandriva.com/en/support/security/advisories/\r\n\r\n If you want to report vulnerabilities, please contact\r\n\r\n security_&#40;at&#41;_mandriva.com\r\n _______________________________________________________________________\r\n\r\n Type Bits/KeyID Date User ID\r\n pub 1024D/22458A98 2000-07-10 Mandriva Security Team\r\n &lt;security*mandriva.com&gt;\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.12 &#40;GNU/Linux&#41;\r\n\r\niD8DBQFSjdjzmqjQ0CJFipgRAixLAJ41ILVt778Lt5wIF9Jwom7KBcuW5gCffIDn\r\nM5ZuM4EwtuqxlZfXqbsmaJI=\r\n=iHkm\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2013-11-26T00:00:00", "title": "[ MDVSA-2013:276 ] curl", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:49", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-4545"], "modified": "2013-11-26T00:00:00", "id": "SECURITYVULNS:DOC:30021", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30021", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:53", "references": ["https://vulners.com/securityvulns/securityvulns:doc:30129", "https://vulners.com/securityvulns/securityvulns:doc:30021"], "description": "\u0418\u043c\u044f \u0445\u043e\u0441\u0442\u0430 \u043d\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442\u0441\u044f \u043f\u0440\u0438 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u043e\u043c CURLOPT_SSL_VERIFYPEER.", "edition": 1, "reporter": "BUGTRAQ", "published": "2013-12-23T00:00:00", "title": "cURL certificates spoofing", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:53", "vector": "NONE", "value": 10.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "cURL", "version": "7.32", "operator": "eq"}], "cvelist": ["CVE-2013-6422", "CVE-2013-4545"], "modified": "2013-12-23T00:00:00", "id": "SECURITYVULNS:VULN:13420", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13420", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T11:09:57", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31138", "https://vulners.com/securityvulns/securityvulns:doc:31214"], "description": "DoS, XSS, CSRF, clickjacking, unauthorized access, information leakage.", "edition": 1, "reporter": "BUGTRAQ", "published": "2014-10-15T00:00:00", "title": "HP System Management Homepage multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:57", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "HP System Management Homepage", "version": "7.3", "operator": "eq"}], "cvelist": ["CVE-2014-2641", "CVE-2013-6422", "CVE-2014-2640", "CVE-2014-2642", "CVE-2013-6420", "CVE-2014-7874", "CVE-2013-6712", "CVE-2013-4545"], "modified": "2014-10-15T00:00:00", "id": "SECURITYVULNS:VULN:13993", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13993", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:54", "references": [], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c04463322\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c04463322\r\nVersion: 1\r\n\r\nHPSBMU03112 rev.1 - HP System Management Homepage &#40;SMH&#41; on Linux and Windows,\r\nMultiple Vulnerabilities\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2014-09-30\r\nLast Updated: 2014-09-30\r\n\r\nPotential Security Impact: Cross-site scripting &#40;XSS&#41;, Cross-site Request\r\nForgery &#40;CSRF&#41;, unauthorized disclosure of information, Denial of Service\r\n&#40;DoS&#41;, and Clickjacking\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP System\r\nManagement Homepage &#40;SMH&#41; on Linux and Windows. The vulnerabilities could be\r\nexploited remotely resulting in Cross-site Scripting &#40;XSS&#41;, Cross-site\r\nRequest Forgery &#40;CSRF&#41;, unauthorized disclosure of information, Denial of\r\nService &#40;DoS&#41;, and Clickjacking.\r\n\r\nReferences:\r\n\r\nCVE-2013-4545 Unauthorized modification\r\nCVE-2013-6420 &#40;SSRT101447&#41; Unauthorized disclosure of information\r\nCVE-2013-6422 Unauthorized disclosure of information\r\nCVE-2013-6712 &#40;SSRT101447&#41; Denial of Service &#40;DoS&#41;\r\nCVE-2014-2640 &#40;SSRT101633, SSRT101438&#41; Cross-site Scripting &#40;XSS&#41;\r\nCVE-2014-2641 &#40;SSRT101438&#41; Cross-site Request Forgery &#40;CSRF&#41;\r\nCVE-2014-2642 &#40;SSRT101701&#41; Clickjacking\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP System Management Homepage &#40;SMH&#41; for Linux and Windows prior to version\r\n7.4\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2013-4545 &#40;AV:N/AC:M/Au:N/C:N/I:P/A:N&#41; 4.3\r\nCVE-2013-6420 &#40;AV:N/AC:L/Au:N/C:P/I:P/A:P&#41; 7.5\r\nCVE-2013-6422 &#40;AV:N/AC:H/Au:N/C:P/I:P/A:N&#41; 4.0\r\nCVE-2013-6712 &#40;AV:N/AC:L/Au:N/C:N/I:N/A:P&#41; 5.0\r\nCVE-2014-2640 &#40;AV:N/AC:M/Au:N/C:N/I:P/A:N&#41; 4.3\r\nCVE-2014-2641 &#40;AV:N/AC:M/Au:S/C:P/I:P/A:P&#41; 6.0\r\nCVE-2014-2642 &#40;AV:N/AC:M/Au:N/C:N/I:P/A:N&#41; 4.3\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHP has made the following software updates available to resolve the\r\nvulnerabilities for the impacted versions of HP System Management Homepage\r\n&#40;SMH&#41; for Linux and Windows:\r\n\r\nhttp://h18013.www1.hp.com/products/servers/management/agents/\r\n\r\nHISTORY\r\nVersion:1 &#40;rev.1&#41; - 30 September 2014 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer&#39;s patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2014 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided &quot;as is&quot;\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits; damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 &#40;GNU/Linux&#41;\r\n\r\niEYEARECAAYFAlQq3FIACgkQ4B86/C0qfVnTlwCgwWcDOjjkcFklK+74zGBRsqba\r\n3ZYAn2AXFQpMSaHHK8pqKv05UM/d1b7R\r\n=qkt6\r\n-----END PGP SIGNATURE-----\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2014-10-05T00:00:00", "title": "[security bulletin] HPSBMU03112 rev.1 - HP System Management Homepage &#40;SMH&#41; on Linux and Windows, Multiple Vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:54", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2014-2641", "CVE-2013-6422", "CVE-2014-2640", "CVE-2014-2642", "CVE-2013-6420", "CVE-2013-6712", "CVE-2013-4545"], "modified": "2014-10-05T00:00:00", "id": "SECURITYVULNS:DOC:31138", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31138", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:00", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31921"], "description": "Over 90 different vulnerabilities are fixed in quarterly update.", "edition": 1, "reporter": "ORACLE", "published": "2015-04-17T00:00:00", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:00", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "iPlanet Web Proxy Server", "version": "4.0", "operator": "eq"}, {"name": "Oracle WebCenter Portal", "version": "11.1", "operator": "eq"}, {"name": "Java SE", "version": "8", "operator": "eq"}, {"name": "Fusion Middleware", "version": "11.1", "operator": "eq"}, {"name": "Hyperion Smart View for Office", "version": "11.1", "operator": "eq"}, {"name": "Oracle Retail Central Office", "version": "14.1", "operator": "eq"}, {"name": "OpenSSO", "version": "3.0", "operator": "eq"}, {"name": "Oracle", "version": "12.1", "operator": "eq"}, {"name": "iPlanet Web Server", "version": "7.0", "operator": "eq"}, {"name": "Outside In Technology", "version": "8.5", "operator": "eq"}, {"name": "Exalogic Infrastructure", "version": "2.0", "operator": "eq"}, {"name": "Siebel Applications", "version": "8.2", "operator": "eq"}, {"name": "Oracle VM Server for SPARC", "version": "3.2", "operator": "eq"}, {"name": "Oracle", "version": "11.2", "operator": "eq"}, {"name": "Oracle E-Business Suite", "version": "12.2", "operator": "eq"}, {"name": "Oracle Commerce Guided Search", "version": "11.1", "operator": "eq"}, {"name": "Oracle Transportation Management", "version": "6.3", "operator": "eq"}, {"name": "Oracle Retail Back Office", "version": "14.1", "operator": "eq"}, {"name": "Solaris", "version": "11.2", "operator": "eq"}, {"name": "Oracle E-Business Suite", "version": "11.5", "operator": "eq"}, {"name": "MySQL Enterprise Monitor", "version": "3.0", "operator": "eq"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "eq"}, {"name": "Oracle Commerce Platform", "version": "10.2", "operator": "eq"}, {"name": "Demand Planning", "version": "12.2", "operator": "eq"}, {"name": "Enterprise Manager Base Platform", "version": "12.1", "operator": "eq"}, {"name": "Oracle Knowledge", "version": "8.4", "operator": "eq"}, {"name": "WebLogic Server", "version": "12.1", "operator": "eq"}, {"name": "SQL Trace Analyzer", "version": "12.1", "operator": "eq"}, {"name": "GlassFish Server", "version": "2.1", "operator": "eq"}, {"name": "MySQL Connectors", "version": "5.1", "operator": "eq"}, {"name": "Java FX", "version": "2.2", "operator": "eq"}, {"name": "MySQL Server", "version": "5.6", "operator": "eq"}, {"name": "GlassFish Server", "version": "3.1", "operator": "eq"}, {"name": "Agile Engineering Data Management", "version": "6.1", "operator": "eq"}, {"name": "GoldenGate Monitor", "version": "11.1", "operator": "eq"}, {"name": "JD Edwards EnterpriseOne Technology", "version": "9.1", "operator": "eq"}, {"name": "MySQL Utilities", "version": "1.5", "operator": "eq"}, {"name": "Oracle Access Manager", "version": "11.1", "operator": "eq"}, {"name": "Oracle WebCenter Sites", "version": "11.1", "operator": "eq"}, {"name": "Oracle Argus Safety", "version": "8.0", "operator": "eq"}, {"name": "Solaris", "version": "10", "operator": "eq"}, {"name": "Cisco MDS Fiber Channel Switch", "version": "6.2", "operator": "eq"}, {"name": "PeopleSoft Enterprise Portal Interaction Hub", "version": "9.1", "operator": "eq"}, {"name": "JRockit", "version": "28.3", "operator": "eq"}, {"name": "iPlanet Web Server", "version": "6.1", "operator": "eq"}, {"name": "PeopleSoft Enterprise SCM Strategic Sourcing", "version": "9.2", "operator": "eq"}], "cvelist": ["CVE-2015-2576", "CVE-2015-0489", "CVE-2015-0466", "CVE-2015-0473", "CVE-2015-0455", "CVE-2015-0484", "CVE-2014-3566", "CVE-2015-0504", "CVE-2015-0482", "CVE-2015-0235", "CVE-2015-0493", "CVE-2015-0463", "CVE-2015-2579", "CVE-2015-0474", "CVE-2015-0492", "CVE-2014-7809", "CVE-2015-0495", "CVE-2015-0440", "CVE-2015-2567", "CVE-2015-0502", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-2568", "CVE-2015-0506", "CVE-2015-2575", "CVE-2015-0447", "CVE-2014-3571", "CVE-2015-0476", "CVE-2015-0511", "CVE-2015-0458", "CVE-2015-0483", "CVE-2015-0487", "CVE-2015-0453", "CVE-2015-2572", "CVE-2015-0490", "CVE-2015-2574", "CVE-2015-0510", "CVE-2015-0497", "CVE-2015-0501", "CVE-2015-0450", "CVE-2015-0439", "CVE-2015-0448", "CVE-2015-0472", "CVE-2015-0462", "CVE-2015-0459", "CVE-2015-0507", "CVE-2015-2571", "CVE-2015-0475", "CVE-2015-2570", "CVE-2015-0509", "CVE-2015-0494", "CVE-2015-0461", "CVE-2015-0503", "CVE-2015-0449", "CVE-2014-0050", "CVE-2015-0500", "CVE-2015-0405", "CVE-2013-4286", "CVE-2015-0451", "CVE-2015-2577", "CVE-2014-1568", "CVE-2015-0478", "CVE-2015-2565", "CVE-2015-0496", "CVE-2015-0204", "CVE-2015-2578", "CVE-2015-2566", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0471", "CVE-2015-0423", "CVE-2015-0498", "CVE-2015-0438", "CVE-2015-0480", "CVE-2015-0499", "CVE-2015-0433", "CVE-2015-0441", "CVE-2015-0486", "CVE-2015-0452", "CVE-2014-0112", "CVE-2015-0508", "CVE-2015-0457", "CVE-2015-0505", "CVE-2015-0465", "CVE-2015-0479", "CVE-2015-2573", "CVE-2015-0485", "CVE-2014-3569", "CVE-2015-0464", "CVE-2015-0491", "CVE-2015-0456", "CVE-2013-4545"], "modified": "2015-04-17T00:00:00", "id": "SECURITYVULNS:VULN:14393", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14393", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:58", "references": [], "description": "Over 150 vulnerabilities in different applications are closed in auqrterly update.", "edition": 1, "reporter": "BUGTRAQ", "published": "2015-01-25T00:00:00", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:58", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle Enterprise Asset Management", "version": "8.2", "operator": "eq"}, {"name": "Wavese", "version": "8.1", "operator": "eq"}, {"name": "Java SE", "version": "8", "operator": "eq"}, {"name": "Oracle Forms", "version": "11.1", "operator": "eq"}, {"name": "MICROS Retail", "version": "3.5", "operator": "eq"}, {"name": "Fusion Middleware", "version": "11.1", "operator": "eq"}, {"name": "MICROS Retail", "version": "5.5", "operator": "eq"}, {"name": "Healthcare Master Person Index", "version": "2", "operator": "eq"}, {"name": "Oracle", "version": "12.1", "operator": "eq"}, {"name": "MICROS Retail", "version": "6.5", "operator": "eq"}, {"name": "Oracle HTTP Server", "version": "10.1", "operator": "eq"}, {"name": "SOA Suite", "version": "11.1", "operator": "eq"}, {"name": "Java SE Embedded", "version": "8", "operator": "eq"}, {"name": "Communications Diameter Signaling Router", "version": "5.0", "operator": "eq"}, {"name": "Exalogic Infrastructure", "version": "2.0", "operator": "eq"}, {"name": "Siebel Applications", "version": "8.2", "operator": "eq"}, {"name": "WebLogic Portal", "version": "10.3", "operator": "eq"}, {"name": "BI Publisher", "version": "10.1", "operator": "eq"}, {"name": "RTD Platform", "version": "3.0", "operator": "eq"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1", "operator": "eq"}, {"name": "Oracle Real-Time Decision Server", "version": "11.1", "operator": "eq"}, {"name": "Oracle E-Business Suite", "version": "12.2", "operator": "eq"}, {"name": "Oracle Transportation Management", "version": "6.3", "operator": "eq"}, {"name": "Oracle E-Business Suite", "version": "11.5", "operator": "eq"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "eq"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "eq"}, {"name": "SOA Suite", "version": "12.1", "operator": "eq"}, {"name": "Solaris Cluster", "version": "4.1", "operator": "eq"}, {"name": "Enterprise Manager Ops Center", "version": "11.1", "operator": "eq"}, {"name": "Enterprise Manager Base Platform", "version": "12.1", "operator": "eq"}, {"name": "Integrated Lights Out Manager", "version": "3.2", "operator": "eq"}, {"name": "WebLogic Server", "version": "12.1", "operator": "eq"}, {"name": "OpenSSO", "version": "8.0", "operator": "eq"}, {"name": "WebLogic Server", "version": "10.3", "operator": "eq"}, {"name": "MICROS Retail", "version": "4.8", "operator": "eq"}, {"name": "Oracle Containers for J2EE", "version": "10.1", "operator": "eq"}, {"name": "MySQL Server", "version": "5.6", "operator": "eq"}, {"name": "GlassFish Server", "version": "3.1", "operator": "eq"}, {"name": "Agile PLM for Process", "version": "6.1", "operator": "eq"}, {"name": "Oracle Directory Server", "version": "11.1", "operator": "eq"}, {"name": "Oracle Reports", "version": "11.1", "operator": "eq"}, {"name": "WebCenter Content", "version": "11.1", "operator": "eq"}, {"name": "VirtualBox", "version": "4.3", "operator": "eq"}, {"name": "Oracle Directory Server", "version": "7.0", "operator": "eq"}, {"name": "MySQL Server", "version": "5.5", "operator": "eq"}, {"name": "Oracle Access Manager", "version": "11.1", "operator": "eq"}, {"name": "Fusion Middleware", "version": "10.1", "operator": "eq"}, {"name": "Solaris", "version": "11", "operator": "eq"}, {"name": "Oracle", "version": "11.1", "operator": "eq"}, {"name": "BI Publisher", "version": "11.1", "operator": "eq"}, {"name": "Fusion Middleware", "version": "12.1", "operator": "eq"}, {"name": "Solaris", "version": "10", "operator": "eq"}, {"name": "Oracle HTTP Server", "version": "11.1", "operator": "eq"}, {"name": "Oracle HTTP Server", "version": "12.1", "operator": "eq"}, {"name": "Fusion Applications", "version": "11.1", "operator": "eq"}, {"name": "Agile PLM", "version": "9.3", "operator": "eq"}, {"name": "JD Edwards EnterpriseOne Tool", "version": "9.1", "operator": "eq"}, {"name": "Oracle Secure Global Desktop", "version": "5.1", "operator": "eq"}, {"name": "Enterprise Manager Ops Center", "version": "12.2", "operator": "eq"}, {"name": "PeopleSoft Enterprise HRMS", "version": "9.1", "operator": "eq"}, {"name": "JRockit", "version": "28.3", "operator": "eq"}, {"name": "GlassFish Server", "version": "3.0", "operator": "eq"}, {"name": "Oracle Secure Global Desktop", "version": "4.71", "operator": "eq"}, {"name": "Oracle iLearning", "version": "6.1", "operator": "eq"}, {"name": "Communications Messaging Server", "version": "7.0", "operator": "eq"}], "cvelist": ["CVE-2015-0388", "CVE-2014-6574", "CVE-2015-0390", "CVE-2014-6592", "CVE-2014-3566", "CVE-2011-4461", "CVE-2015-0386", "CVE-2015-0425", "CVE-2014-6566", "CVE-2013-4784", "CVE-2014-0191", "CVE-2015-0365", "CVE-2014-6579", "CVE-2014-6556", "CVE-2014-6571", "CVE-2015-0427", "CVE-2014-6578", "CVE-2015-0398", "CVE-2014-6510", "CVE-2014-6595", "CVE-2011-3607", "CVE-2014-6518", "CVE-2015-0385", "CVE-2015-0395", "CVE-2015-0368", "CVE-2014-6575", "CVE-2015-0380", "CVE-2015-0424", "CVE-2003-0001", "CVE-2014-6565", "CVE-2015-0407", "CVE-2015-0362", "CVE-2015-0430", "CVE-2014-6585", "CVE-2015-0410", "CVE-2013-5704", "CVE-2015-0402", "CVE-2015-0379", "CVE-2014-6548", "CVE-2015-0396", "CVE-2015-0422", "CVE-2015-0435", "CVE-2014-6584", "CVE-2014-0224", "CVE-2014-4259", "CVE-2015-0391", "CVE-2014-6567", "CVE-2015-0418", "CVE-2013-0338", "CVE-2014-6480", "CVE-2014-6576", "CVE-2015-0428", "CVE-2015-0431", "CVE-2014-0098", "CVE-2014-6549", "CVE-2015-0420", "CVE-2015-0432", "CVE-2015-0383", "CVE-2011-3389", "CVE-2013-1741", "CVE-2014-6583", "CVE-2014-6597", "CVE-2014-4279", "CVE-2004-0230", "CVE-2015-0369", "CVE-2014-6525", "CVE-2015-0372", "CVE-2014-6582", "CVE-2015-0378", "CVE-2015-0392", "CVE-2015-0416", "CVE-2014-6587", "CVE-2013-6438", "CVE-2015-0406", "CVE-2015-0401", "CVE-2014-6569", "CVE-2014-6599", "CVE-2013-2877", "CVE-2015-0417", "CVE-2015-0404", "CVE-2013-6450", "CVE-2014-0114", "CVE-2015-0364", "CVE-2010-5107", "CVE-2011-3368", "CVE-2014-6573", "CVE-2013-4286", "CVE-2015-0371", "CVE-2014-6526", "CVE-2015-0382", "CVE-2014-1568", "CVE-2015-0363", "CVE-2014-6600", "CVE-2014-6580", "CVE-2014-6509", "CVE-2015-0375", "CVE-2015-0414", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-6601", "CVE-2014-6594", "CVE-2015-0373", "CVE-2015-0421", "CVE-2013-2186", "CVE-2014-3567", "CVE-2014-6581", "CVE-2015-0403", "CVE-2014-6570", "CVE-2015-0408", "CVE-2015-0429", "CVE-2014-6596", "CVE-2014-6521", "CVE-2015-0374", "CVE-2014-6591", "CVE-2014-6586", "CVE-2014-6524", "CVE-2014-6572", "CVE-2015-0370", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0409", "CVE-2015-0387", "CVE-2015-0389", "CVE-2015-0399", "CVE-2015-0415", "CVE-2014-6590", "CVE-2015-0376", "CVE-2014-6481", "CVE-2015-0393", "CVE-2015-0366", "CVE-2015-0419", "CVE-2014-6568", "CVE-2015-0377", "CVE-2015-0394", "CVE-2015-0397", "CVE-2015-0384", "CVE-2014-6589", "CVE-2014-6528", "CVE-2014-6588", "CVE-2014-6541", "CVE-2011-1944", "CVE-2015-0437", "CVE-2014-6514", "CVE-2014-4212", "CVE-2015-0436", "CVE-2014-6598", "CVE-2015-0367", "CVE-2014-0226", "CVE-2013-1620", "CVE-2013-4545", "CVE-2015-0426", "CVE-2015-0434", "CVE-2015-0411", "CVE-2015-0381", "CVE-2014-6577"], "modified": "2015-01-25T00:00:00", "id": "SECURITYVULNS:VULN:14233", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14233", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2018-11-16T08:23:14", "references": [], "description": "### *CVSS*:\n7.5\n\n### *Detect date*:\n01/10/2014\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities was found in HP SMH. By exploiting these vulnerabilities malicious users can conduct XSS, CSRF and clicjacking attacks via unspecified vectors. These vulnerabilities can be exploited remotely.\n\n### *Affected products*:\nHP System Management Homepage (SMH) versions earlier than 7.4\n\n### *Solution*:\nUpdate to latest version \n[Get HP SMH](<http://www8.hp.com/us/en/products/server-software/product-detail.html?oid=344313>)\n\n### *Original advisories*:\n[HP bulletin](<https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04463322>) \n\n\n### *Impacts*:\nXSSCSS \n\n### *Related products*:\n[HP System Management Homepage](<https://threats.kaspersky.com/en/product/HP-System-Management-Homepage/>)\n\n### *CVE-IDS*:\n[CVE-2013-6712](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712>) \n[CVE-2013-6422](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6422>) \n[CVE-2014-2641](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2641>) \n[CVE-2014-2640](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2640>) \n[CVE-2014-2642](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2642>) \n[CVE-2013-6420](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420>) \n[CVE-2013-4545](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545>)", "edition": 23, "reporter": "Kaspersky Lab", "published": "2014-01-10T00:00:00", "title": "\r KLA10458Multiple vulnerabilities in HP SMH ", "type": "kaspersky", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "info", "cvelist": ["CVE-2014-2641", "CVE-2013-6422", "CVE-2014-2640", "CVE-2014-2642", "CVE-2013-6420", "CVE-2013-6712", "CVE-2013-4545"], "modified": "2018-11-15T00:00:00", "id": "KLA10458", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10458", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "oracle": [{"lastseen": "2018-08-31T04:14:01", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 98 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "edition": 3, "reporter": "Oracle", "published": "2015-04-14T00:00:00", "title": "Oracle Critical Patch Update - April 2015", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle WebCenter Sites", "version": "7.6.2", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Technology", "version": "9.1", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.1", "operator": "le"}, {"name": "Oracle VM Server for SPARC", "version": "3.2", "operator": "le"}, {"name": "XDB - XML Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.1", "operator": "le"}, {"name": "Oracle OpenSSO", "version": "3.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.3", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Java VM", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "XDK and XDB - XML Database", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.0.10", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.1", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.0.6", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "2.1.1", "operator": "le"}, {"name": "Oracle Hyperion BI+", "version": "11.1.2.3", "operator": "le"}, {"name": "Cisco MDS Fiber Channel Switch", "version": "5.2", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "7u76", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "2.x", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "12.0IN", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.6", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Java SE, JRockit", "version": "5.0u81", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.6", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "12.0", "operator": "le"}, {"name": "Oracle GoldenGate Monitor", "version": "11.1.2.1.0", "operator": "le"}, {"name": "Oracle iPlanet Web Proxy Server", "version": "4.0", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "6u91", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.0", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "10.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Java SE, JRockit", "version": "28.3.5", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "12.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.2", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.1", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Health Sciences Argus Safety", "version": "8.0", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Strategic Sourcing", "version": "9.1", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.3", "operator": "le"}, {"name": "XDK and XDB - XML Database", "version": "12.1.0.1", "operator": "le"}, {"name": "Application Management Pack for Oracle E-Business Suite", "version": "121020", "operator": "le"}, {"name": "Java SE", "version": "5.0u81", "operator": "le"}, {"name": "Java SE, JRockit", "version": "6u91", "operator": "le"}, {"name": "SQL Trace Analyzer", "version": "12.1.11", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Utilities", "version": "1.5.1", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "11.5.10.2", "operator": "le"}, {"name": "Application Management Pack for Oracle E-Business Suite", "version": "121030", "operator": "le"}, {"name": "Oracle Hyperion Smart View for Office", "version": "11.1.2.5.216", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.4", "operator": "le"}, {"name": "Java SE, JRockit", "version": "8u40", "operator": "le"}, {"name": "Java SE", "version": "7u76", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "9.4", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.1.1", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.0.18", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.23", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "1.x", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "2.3.16", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.1", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.6.1", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.2", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.1.0", "operator": "le"}, {"name": "Oracle Knowledge", "version": "8.2.3.10.1", "operator": "le"}, {"name": "Oracle VM Server for SPARC", "version": "3.1", "operator": "le"}, {"name": "Solaris", "version": "11.2", "operator": "le"}, {"name": "Java SE", "version": "8u40", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Strategic Sourcing", "version": "9.2", "operator": "le"}, {"name": "Cisco MDS Fiber Channel Switch", "version": "6.2", "operator": "le"}, {"name": "Oracle Installed Base", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "12.1", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.4", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "8u40", "operator": "le"}, {"name": "XDB - XML Database", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "6.1", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.0", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.4.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.42", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.5", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.0.4", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.22", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Knowledge", "version": "8.4.7.2", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.1", "operator": "le"}, {"name": "MySQL Connectors", "version": "5.1.34", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "XDB - XML Database", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Java SE", "version": "6u91", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "2.2.76", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.5", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.2", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "7.0", "operator": "le"}, {"name": "Java SE, JavaFX", "version": "5.0u81", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Demand Planning", "version": "11.5.10", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "2.3.19", "operator": "le"}, {"name": "XDK and XDB - XML Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.1.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.41", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "10.0", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "3.x", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "11.x", "operator": "le"}, {"name": "Java SE, JRockit", "version": "7u76", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.4", "operator": "le"}, {"name": "PeopleSoft Enterprise Portal Interaction Hub", "version": "9.1.00", "operator": "le"}, {"name": "Oracle Hyperion BI+", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}], "cvelist": ["CVE-2015-2576", "CVE-2015-0489", "CVE-2015-0466", "CVE-2015-0473", "CVE-2015-0455", "CVE-2015-0484", "CVE-2014-3566", "CVE-2015-0504", "CVE-2015-0482", "CVE-2015-0235", "CVE-2015-0493", "CVE-2015-0463", "CVE-2015-2579", "CVE-2015-0474", "CVE-2015-0492", "CVE-2014-7809", "CVE-2015-0495", "CVE-2015-0440", "CVE-2015-2567", "CVE-2014-3572", "CVE-2015-0206", "CVE-2015-0502", "CVE-2015-0477", "CVE-2015-0469", "CVE-2015-2568", "CVE-2015-0506", "CVE-2015-2575", "CVE-2015-0447", "CVE-2014-3571", "CVE-2015-0476", "CVE-2015-0511", "CVE-2015-0458", "CVE-2015-0483", "CVE-2014-0116", "CVE-2015-0487", "CVE-2015-0453", "CVE-2015-2572", "CVE-2015-0490", "CVE-2015-2574", "CVE-2015-0510", "CVE-2015-0497", "CVE-2015-0501", "CVE-2015-0450", "CVE-2015-0439", "CVE-2015-0448", "CVE-2015-0472", "CVE-2015-0462", "CVE-2015-0459", "CVE-2015-0507", "CVE-2015-2571", "CVE-2015-0475", "CVE-2014-8275", "CVE-2015-2570", "CVE-2014-3570", "CVE-2015-0509", "CVE-2015-0494", "CVE-2015-0461", "CVE-2015-0503", "CVE-2015-0449", "CVE-2014-0050", "CVE-2015-0500", "CVE-2015-0405", "CVE-2013-4286", "CVE-2015-0451", "CVE-2015-2577", "CVE-2014-1568", "CVE-2015-0478", "CVE-2015-2565", "CVE-2015-0496", "CVE-2015-0204", "CVE-2014-0094", "CVE-2015-2578", "CVE-2015-2566", "CVE-2015-0460", "CVE-2015-0488", "CVE-2015-0470", "CVE-2015-0471", "CVE-2015-0423", "CVE-2015-0498", "CVE-2014-0113", "CVE-2015-0438", "CVE-2015-0480", "CVE-2015-0499", "CVE-2015-0433", "CVE-2015-0441", "CVE-2015-0486", "CVE-2015-0452", "CVE-2014-0112", "CVE-2015-0508", "CVE-2015-0457", "CVE-2015-0505", "CVE-2015-0465", "CVE-2015-0479", "CVE-2015-2573", "CVE-2015-0205", "CVE-2015-0485", "CVE-2014-3569", "CVE-2015-0464", "CVE-2015-0491", "CVE-2015-0456", "CVE-2013-4545"], "modified": "2015-05-20T00:00:00", "id": "ORACLE:CPUAPR2015-2365600", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:14:03", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 193 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\n** Please note that on May 15, 2015, Oracle released [Security Alert for CVE-2015-3456 (QEMU \"Venom\")](<http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2015-3456. **\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "edition": 3, "reporter": "Oracle", "published": "2015-07-14T00:00:00", "title": "Oracle Critical Patch Update - July 2015", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle WebCenter Portal", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Siebel Apps - E-Billing", "version": "6.1", "operator": "le"}, {"name": "Java SE, JavaFX, Java SE Embedded", "version": "8u33", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.6", "operator": "le"}, {"name": "Oracle VM Server for SPARC", "version": "3.2", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Hyperion Enterprise Performance Management Architect", "version": "11.1.2.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.2", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Java SE, JRockit, Java SE Embedded", "version": "8u33", "operator": "le"}, {"name": "Oracle OpenSSO", "version": "3.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.1", "operator": "le"}, {"name": "RDBMS Scheduler", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.3", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.3", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2260", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "2.3", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Java VM", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.2.4", "operator": "le"}, {"name": "Java SE, JRockit, Java SE Embedded", "version": "7u80", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "2.4", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "12.1.0.7", "operator": "le"}, {"name": "Sun Blade 6000 Ethernet Switched NEM 24P 10GE", "version": "1.2.2", "operator": "le"}, {"name": "Java SE, JavaFX, Java SE Embedded", "version": "2.2.80", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.1.0.7", "operator": "le"}, {"name": "RDBMS Partitioning", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.2", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "2.1.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Event Processing", "version": "11.1.1.7", "operator": "le"}, {"name": "RDBMS Scheduler", "version": "12.1.0.2", "operator": "le"}, {"name": "Data Store", "version": "11.2.5.2.42", "operator": "le"}, {"name": "Oracle Tuxedo", "version": "10.3", "operator": "le"}, {"name": "Java SE, JavaFX, Java SE Embedded", "version": "7u75", "operator": "le"}, {"name": "PeopleSoft Enteprise Portal - Interaction Hub", "version": "9.1.00", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.4", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.40", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Candidate Gateway", "version": "9.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.32", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "11.1.0.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.6", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "RDBMS Scheduler", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.3", "operator": "le"}, {"name": "Oracle iPlanet Web Proxy Server", "version": "4.0", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "12.1.0.6", "operator": "le"}, {"name": "Oracle Marketing", "version": "11.5.10.2", "operator": "le"}, {"name": "Sun Ray Software", "version": "5.4.4", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u33", "operator": "le"}, {"name": "Oracle Sourcing", "version": "12.2.4", "operator": "le"}, {"name": "Java SE, JavaFX, Java SE Embedded", "version": "6u95", "operator": "le"}, {"name": "Oracle OLAP", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.63", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.1.3", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.32", "operator": "le"}, {"name": "Technology stack", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "3.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "Oracle Switch ES1-24", "version": "1.3.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "3.1.1", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "3.1.2", "operator": "le"}, {"name": "Hyperion Common Security", "version": "11.1.2.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "RDBMS Support Tools", "version": "12.1.0.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u80", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "2.0.6.2", "operator": "le"}, {"name": "Oracle Application Express", "version": "4.2.3.00.08", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.2.2", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.4", "operator": "le"}, {"name": "Sun Network 10GE Switch 72p", "version": "1.2.2", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "2.2.2", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "11.1.1.3.0", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.2.4.0", "operator": "le"}, {"name": "Oracle Sourcing", "version": "12.1.3", "operator": "le"}, {"name": "RDBMS Scheduler", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.1.3", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle Application Express", "version": "5.0", "operator": "le"}, {"name": "RDBMS Support Tools", "version": "12.1.0.2", "operator": "le"}, {"name": "Siebel Core - Server OM Svcs", "version": "8.1.1", "operator": "le"}, {"name": "Java SE, JavaFX, Java SE Embedded", "version": "8u45", "operator": "le"}, {"name": "RDBMS Partitioning", "version": "11.2.0.3", "operator": "le"}, {"name": "Hyperion Enterprise Performance Management Architect", "version": "11.1.2.3", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.0.6", "operator": "le"}, {"name": "Data Store", "version": "11.2.5.3.28", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.22", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "7.0", "operator": "le"}, {"name": "Hyperion Common Security", "version": "11.1.2.3", "operator": "le"}, {"name": "Technology stack", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.2.0.0", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.23", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.4", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.24", "operator": "le"}, {"name": "RDBMS Support Tools", "version": "11.2.0.4", "operator": "le"}, {"name": "Technology stack", "version": "12.1.3", "operator": "le"}, {"name": "RDBMS Partitioning", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "11.0", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.3", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.6.1", "operator": "le"}, {"name": "Oracle Traffic Director", "version": "11.1.1.7.0", "operator": "le"}, {"name": "RDBMS Scheduler", "version": "11.1.0.7", "operator": "le"}, {"name": "Java SE", "version": "7u80", "operator": "le"}, {"name": "Java SE", "version": "8u45", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.2.0.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.1.0", "operator": "le"}, {"name": "Hyperion Common Security", "version": "11.1.2.4", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1120", "operator": "le"}, {"name": "Solaris", "version": "11.2", "operator": "le"}, {"name": "Oracle Tuxedo", "version": "11.1.1.2.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Talent Acquisition Manager", "version": "9.1", "operator": "le"}, {"name": "Oracle Agile PLM Framework", "version": "9.3.3", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.3", "operator": "le"}, {"name": "RDBMS Partitioning", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64", "version": "1.9.1.2", "operator": "le"}, {"name": "RDBMS Security", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.30", "operator": "le"}, {"name": "Siebel Core - Server OM Svcs", "version": "15.0", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.2", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.1.1", "operator": "le"}, {"name": "Oracle Communications Session Border Controller", "version": "7.2.0m4", "operator": "le"}, {"name": "Siebel Core - Server OM Svcs", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "6.1", "operator": "le"}, {"name": "Java SE, JRockit, Java SE Embedded", "version": "7u75", "operator": "le"}, {"name": "Siebel Apps - E-Billing", "version": "6.1.1", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "9.4.2e", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.42", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u75", "operator": "le"}, {"name": "Java SE, JavaFX, Java SE Embedded", "version": "7u80", "operator": "le"}, {"name": "Java SE, JRockit, Java SE Embedded", "version": "28.3.6", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u95", "operator": "le"}, {"name": "Siebel UI Framework", "version": "15.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.22", "operator": "le"}, {"name": "Oracle Event Processing", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.1.0.3", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.0", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "7.0", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.2.3", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Data Store", "version": "11.2.5.1.29", "operator": "le"}, {"name": "Java SE, JRockit, Java SE Embedded", "version": "6u95", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "8.7.2.b", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u45", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Oracle Tuxedo", "version": "12.1.1.0", "operator": "le"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "3.1", "operator": "le"}, {"name": "Siebel Apps - E-Billing", "version": "6.2", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "7.0", "operator": "le"}, {"name": "Oracle Application Express", "version": "4.2.1", "operator": "le"}, {"name": "Data Store", "version": "12.1.6.0.35", "operator": "le"}, {"name": "RDBMS Partitioning", "version": "12.1.0.2", "operator": "le"}, {"name": "Enterprise Manager for Oracle Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Web Cache", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.0.0.7", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.7", "operator": "le"}, {"name": "Java SE, JRockit, Java SE Embedded", "version": "8u45", "operator": "le"}, {"name": "Oracle OLAP", "version": "12.1.0.1", "operator": "le"}, {"name": "RDBMS Support Tools", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Sourcing", "version": "12.1.2", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.1", "operator": "le"}, {"name": "Hyperion Essbase", "version": "11.1.2.3", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.1.1.5", "operator": "le"}, {"name": "Java SE", "version": "6u95", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.43", "operator": "le"}, {"name": "Oracle Sourcing", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Sourcing", "version": "12.1.1", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.4", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "3.0.2", "operator": "le"}, {"name": "Hyperion Essbase", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.4", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "11.1", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.71", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Talent Acquisition Manager", "version": "9.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Candidate Gateway", "version": "9.2", "operator": "le"}], "cvelist": ["CVE-2015-1926", "CVE-2015-1802", "CVE-2015-4000", "CVE-2015-2591", "CVE-2015-0443", "CVE-2015-1803", "CVE-2015-4771", "CVE-2015-2627", "CVE-2015-2615", "CVE-2014-3566", "CVE-2015-4764", "CVE-2015-4774", "CVE-2015-2601", "CVE-2015-4738", "CVE-2014-8098", "CVE-2015-0235", "CVE-2015-4729", "CVE-2015-1804", "CVE-2015-4751", "CVE-2015-0444", "CVE-2015-0445", "CVE-2015-4749", "CVE-2014-8092", "CVE-2015-4758", "CVE-2014-7809", "CVE-2015-2643", "CVE-2015-4770", "CVE-2015-4747", "CVE-2015-2661", "CVE-2015-4778", "CVE-2015-2632", "CVE-2015-2625", "CVE-2015-2617", "CVE-2015-4784", "CVE-2015-2664", "CVE-2015-2605", "CVE-2015-2597", "CVE-2015-4785", "CVE-2015-4732", "CVE-2015-2653", "CVE-2014-3572", "CVE-2014-3613", "CVE-2015-0206", "CVE-2014-0227", "CVE-2015-2595", "CVE-2015-4782", "CVE-2015-0286", "CVE-2015-3244", "CVE-2015-2648", "CVE-2015-2657", "CVE-2014-0230", "CVE-2014-8100", "CVE-2015-4789", "CVE-2015-2581", "CVE-2015-2613", "CVE-2015-2658", "CVE-2014-3571", "CVE-2015-4736", "CVE-2015-2599", "CVE-2013-2251", "CVE-2013-5704", "CVE-2015-4739", "CVE-2015-0288", "CVE-2015-4790", "CVE-2013-6422", "CVE-2015-2589", "CVE-2010-1324", "CVE-2015-2623", "CVE-2015-2631", "CVE-2010-4020", "CVE-2015-2596", "CVE-2015-4763", "CVE-2015-0285", "CVE-2015-4783", "CVE-2015-2620", "CVE-2015-2650", "CVE-2011-3389", "CVE-2015-2654", "CVE-2015-0207", "CVE-2015-2607", "CVE-2015-2639", "CVE-2015-2611", "CVE-2015-2645", "CVE-2015-2634", "CVE-2015-2594", "CVE-2014-8275", "CVE-2015-3456", "CVE-2015-0467", "CVE-2015-2584", "CVE-2015-0208", "CVE-2015-2808", "CVE-2013-0249", "CVE-2014-3570", "CVE-2015-2590", "CVE-2015-2656", "CVE-2015-2626", "CVE-2015-2628", "CVE-2015-4768", "CVE-2015-4761", "CVE-2015-4745", "CVE-2015-4750", "CVE-2014-0139", "CVE-2015-2635", "CVE-2015-4756", "CVE-2015-2647", "CVE-2014-3707", "CVE-2015-0293", "CVE-2015-2600", "CVE-2015-2580", "CVE-2014-8097", "CVE-2014-8101", "CVE-2015-2640", "CVE-2015-4733", "CVE-2015-2646", "CVE-2014-1568", "CVE-2015-2651", "CVE-2015-2603", "CVE-2014-8091", "CVE-2015-4765", "CVE-2015-2660", "CVE-2015-2604", "CVE-2015-0255", "CVE-2015-4772", "CVE-2015-2662", "CVE-2015-4735", "CVE-2015-0468", "CVE-2015-4779", "CVE-2015-0209", "CVE-2015-2585", "CVE-2013-2186", "CVE-2014-3567", "CVE-2015-2614", "CVE-2014-0015", "CVE-2015-4737", "CVE-2015-4776", "CVE-2015-4757", "CVE-2015-4728", "CVE-2015-2637", "CVE-2015-2606", "CVE-2015-4769", "CVE-2015-0204", "CVE-2015-2621", "CVE-2015-4786", "CVE-2015-4787", "CVE-2015-2638", "CVE-2015-4740", "CVE-2015-2619", "CVE-2015-4731", "CVE-2014-8095", "CVE-2015-4727", "CVE-2015-4741", "CVE-2015-2636", "CVE-2015-2659", "CVE-2015-2655", "CVE-2015-4775", "CVE-2015-4773", "CVE-2014-8102", "CVE-2015-0291", "CVE-2015-4746", "CVE-2015-2629", "CVE-2014-8096", "CVE-2015-4788", "CVE-2015-4755", "CVE-2015-2602", "CVE-2015-4748", "CVE-2015-0287", "CVE-2015-2622", "CVE-2015-2610", "CVE-2012-0036", "CVE-2013-2174", "CVE-2015-2663", "CVE-2015-4742", "CVE-2014-8093", "CVE-2015-0289", "CVE-2015-2652", "CVE-2015-4759", "CVE-2015-0446", "CVE-2015-0292", "CVE-2015-2582", "CVE-2015-4780", "CVE-2014-1569", "CVE-2015-4781", "CVE-2015-2618", "CVE-2015-2641", "CVE-2015-2593", "CVE-2015-4744", "CVE-2015-2598", "CVE-2014-0138", "CVE-2015-2587", "CVE-2015-2630", "CVE-2015-2592", "CVE-2015-4767", "CVE-2015-0290", "CVE-2015-2616", "CVE-2015-0205", "CVE-2015-2624", "CVE-2015-2609", "CVE-2015-4777", "CVE-2010-1323", "CVE-2015-1787", "CVE-2015-4754", "CVE-2014-3569", "CVE-2015-2588", "CVE-2015-4760", "CVE-2015-2583", "CVE-2015-4743", "CVE-2013-4545", "CVE-2015-4752", "CVE-2015-2586", "CVE-2015-4753", "CVE-2015-2649", "CVE-2015-2612", "CVE-2015-2644"], "modified": "2016-07-07T00:00:00", "id": "ORACLE:CPUJUL2015-2367936", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:47", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n \n\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\n \n\n\nThis Critical Patch Update contains 169 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\n \n\n\nPlease note that on October 16, 2014, Oracle released information for [CVE-2014-3566 \"POODLE\"](<http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html>). Customers of affected Oracle products are strongly advised to apply the fixes and/or configuration steps that were announced for CVE-2014-3566 in addition to the fixes announced in this CPU.\n\n \n\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n\n \n\n", "edition": 3, "reporter": "Oracle", "published": "2015-03-10T00:00:00", "title": "Oracle Critical Patch Update - January 2015", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle HCM Configuration Workbench", "version": "12.0.5", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.3", "operator": "le"}, {"name": "Oracle iLearning", "version": "6.1", "operator": "le"}, {"name": "MICROS Retail", "version": "3.4.2", "operator": "le"}, {"name": "OJVM", "version": "12.1.0.2", "operator": "le"}, {"name": "Siebel Core EAI", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Siebel Public Sector", "version": "8.1.1", "operator": "le"}, {"name": "OJVM", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Forms", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.2", "operator": "le"}, {"name": "Workspace Manager", "version": "12.1.0.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u72", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.3", "operator": "le"}, {"name": "Java SE", "version": "5.0u75", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.3", "operator": "le"}, {"name": "Workspace Manager", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle OpenSSO", "version": "8.0", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.20", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.1.0.7", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "27.8.4", "operator": "le"}, {"name": "Oracle Forms", "version": "11.1.2.2", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1118", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u85", "operator": "le"}, {"name": "Java SE", "version": "8u25", "operator": "le"}, {"name": "Oracle Enterprise Asset Management", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Enterprise Asset Management", "version": "8.1.1", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2240", "operator": "le"}, {"name": "Oracle Reports Developer", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.3", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.0.6", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u71", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "1.x", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.1.5", "operator": "le"}, {"name": "Siebel Core - Server OM Services", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "10.1.3.5.0", "operator": "le"}, {"name": "MICROS Retail", "version": "6.0.6", "operator": "le"}, {"name": "Oracle Real-Time Decision Server", "version": "11.1.1.7", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.3.", "operator": "le"}, {"name": "Oracle Marketing", "version": "11.5.10.2", "operator": "le"}, {"name": "Java SE", "version": "6u85", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.2.4", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1", "operator": "le"}, {"name": "Oracle Real-Time Decision Server", "version": "3.0.x", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.2.3", "operator": "le"}, {"name": "Solaris", "version": "11", "operator": "le"}, {"name": "Recovery", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.63", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.34", "operator": "le"}, {"name": "Siebel Core - Common Components", "version": "8.2.2", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "11.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.28", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "11.5.10.2", "operator": "le"}, {"name": "Siebel Core - Server BizLogic Script", "version": "8.1.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u25", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Workspace Manager", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "MICROS Retail", "version": "5.5.3", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.4", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.4", "operator": "le"}, {"name": "Siebel Core - Common Components", "version": "8.1.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.0.5", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "10.1.3.4.2", "operator": "le"}, {"name": "OJVM", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "10.1.3.4.2", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.0.5", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.2.2", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.1.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.2.26", "operator": "le"}, {"name": "Siebel Public Sector", "version": "8.2.2", "operator": "le"}, {"name": "Recovery", "version": "12.1.0.1", "operator": "le"}, {"name": "MICROS Retail", "version": "3.5.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "28.3.4", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "4.x", "operator": "le"}, {"name": "Oracle SOA Suite", "version": "11.1.1.7", "operator": "le"}, {"name": "PeopleSoft Enterprise HRMS", "version": "9.1", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.1", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "3.2.26", "operator": "le"}, {"name": "Siebel Core - System Management", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Containers for J2EE", "version": "10.1.3.5", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.0.6", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1.4", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.38", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.28", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.2.2", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "3", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.4", "operator": "le"}, {"name": "Recovery", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.2", "operator": "le"}, {"name": "Oracle SOA Suite", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "4", "operator": "le"}, {"name": "OJVM", "version": "11.2.0.4", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "5.0u75", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.0.4", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.3", "operator": "le"}, {"name": "MICROS Retail", "version": "4.5.1", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.3", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "5.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.1.0", "operator": "le"}, {"name": "Java SE", "version": "7u72", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.0.26", "operator": "le"}, {"name": "Oracle Reports Developer", "version": "11.1.2.2", "operator": "le"}, {"name": "Siebel Core - Server Infrastructure", "version": "8.2.2", "operator": "le"}, {"name": "MICROS Retail", "version": "3.2.1", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "7.0.5.33.0", "operator": "le"}, {"name": "PL/SQL", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle iLearning", "version": "6.0", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.4", "operator": "le"}, {"name": "Siebel Life Sciences", "version": "8.1.1", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1119", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.2", "operator": "le"}, {"name": "Siebel UI Framework", "version": "8.1.1", "operator": "le"}, {"name": "OJVM", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.3.14", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.2", "operator": "le"}, {"name": "MICROS Retail", "version": "6.5.2", "operator": "le"}, {"name": "PL/SQL", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.2.0", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.0.4", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.2.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.0.4", "operator": "le"}, {"name": "Workspace Manager", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.5", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.40", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.53", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u6", "operator": "le"}, {"name": "Siebel Life Sciences", "version": "8.2.2", "operator": "le"}, {"name": "Integrated Lights Out Manager(ILOM)", "version": "3.2.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.0.2.0", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.0.1.0", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "7.0", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "11.1.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.19", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.2", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S Servers", "version": "2232", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "5.0", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "4.1.36", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.52", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router", "version": "3.x", "operator": "le"}, {"name": "Siebel Core - Server Infrastructure", "version": "8.1.1", "operator": "le"}, {"name": "Siebel Core - EAI", "version": "8.2.2", "operator": "le"}, {"name": "Oracle Agile PLM for Process", "version": "6.1.0.3", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.1.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.21", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.2.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Telecommunications Billing Integrator", "version": "12.0.5", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "11.5.10.2", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.1.7", "operator": "le"}, {"name": "Oracle HCM Configuration Workbench", "version": "12.0.4", "operator": "le"}, {"name": "PL/SQL", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.1.2", "operator": "le"}, {"name": "Recovery", "version": "11.1.0.7", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.0.6", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "2.x", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.0.5", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.2.1.0", "operator": "le"}, {"name": "Siebel Core - Server BizLogic Script", "version": "8.2.2", "operator": "le"}, {"name": "PL/SQL", "version": "12.1.0.1", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "3.2.24", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.1", "operator": "le"}, {"name": "Siebel Core - EAI", "version": "8.1.1", "operator": "le"}, {"name": "Siebel Core EAI", "version": "8.1.1", "operator": "le"}, {"name": "MICROS Retail", "version": "4.0.1", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.1", "operator": "le"}, {"name": "MICROS Retail", "version": "5.0.3", "operator": "le"}, {"name": "Oracle Exalogic Infrastructure", "version": "2.0.6.2.0", "operator": "le"}, {"name": "XML Developer's Kit for C", "version": "11.2.0.3", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.1.5", "operator": "le"}, {"name": "Oracle Applications Framework", "version": "12.2.4", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.3", "operator": "le"}, {"name": "Siebel Core - System Management", "version": "8.1.1", "operator": "le"}, {"name": "Siebel Core - Server OM Services", "version": "8.1.1", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.2", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.0.6", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.3.6.0", "operator": "le"}, {"name": "MICROS Retail", "version": "4.8.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop", "version": "4.71", "operator": "le"}, {"name": "Recovery", "version": "11.2.0.3", "operator": "le"}, {"name": "Oracle Waveset", "version": "8.1.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}], "cvelist": ["CVE-2015-0388", "CVE-2014-6574", "CVE-2015-0390", "CVE-2011-4317", "CVE-2014-6592", "CVE-2014-3566", "CVE-2011-4461", "CVE-2015-0386", "CVE-2015-0425", "CVE-2014-6566", "CVE-2013-4784", "CVE-2014-0191", "CVE-2015-0365", "CVE-2014-6579", "CVE-2014-6556", "CVE-2014-0231", "CVE-2014-6571", "CVE-2015-0427", "CVE-2014-6578", "CVE-2015-0398", "CVE-2014-6510", "CVE-2014-6595", "CVE-2011-3607", "CVE-2014-6518", "CVE-2015-0385", "CVE-2015-0395", "CVE-2015-0368", "CVE-2013-6449", "CVE-2014-6575", "CVE-2015-0380", "CVE-2015-0424", "CVE-2003-0001", "CVE-2014-6565", "CVE-2015-0407", "CVE-2014-0076", "CVE-2015-0362", "CVE-2015-0430", "CVE-2014-6585", "CVE-2015-0410", "CVE-2013-5704", "CVE-2015-0402", "CVE-2015-0379", "CVE-2014-6548", "CVE-2015-0396", "CVE-2015-0422", "CVE-2015-0435", "CVE-2014-5704", "CVE-2013-5605", "CVE-2014-6584", "CVE-2014-0224", "CVE-2014-4259", "CVE-2015-0391", "CVE-2014-6567", "CVE-2015-0418", "CVE-2013-0338", "CVE-2014-6480", "CVE-2014-6576", "CVE-2015-0428", "CVE-2015-0431", "CVE-2014-0098", "CVE-2014-6549", "CVE-2015-0420", "CVE-2015-0432", "CVE-2015-0383", "CVE-2011-3389", "CVE-2013-1741", "CVE-2014-6583", "CVE-2014-6597", "CVE-2014-4279", "CVE-2004-0230", "CVE-2015-0369", "CVE-2014-6525", "CVE-2015-0372", "CVE-2014-6582", "CVE-2015-0378", "CVE-2015-0392", "CVE-2015-0416", "CVE-2014-6587", "CVE-2013-1740", "CVE-2013-6438", "CVE-2015-0406", "CVE-2015-0401", "CVE-2014-6569", "CVE-2014-3470", "CVE-2012-0053", "CVE-2013-1739", "CVE-2014-6599", "CVE-2014-1492", "CVE-2013-2877", "CVE-2015-0417", "CVE-2015-0404", "CVE-2013-6450", "CVE-2013-5606", "CVE-2014-0114", "CVE-2015-0364", "CVE-2014-0050", "CVE-2010-5107", "CVE-2011-3368", "CVE-2014-6573", "CVE-2014-1490", "CVE-2010-5298", "CVE-2013-4286", "CVE-2015-0371", "CVE-2014-6526", "CVE-2015-0382", "CVE-2014-1568", "CVE-2015-0363", "CVE-2014-6600", "CVE-2014-6580", "CVE-2014-6509", "CVE-2015-0375", "CVE-2015-0414", "CVE-2014-0195", "CVE-2015-0413", "CVE-2014-6593", "CVE-2014-0198", "CVE-2014-6601", "CVE-2014-6594", "CVE-2015-0373", "CVE-2015-0421", "CVE-2013-2186", "CVE-2014-3567", "CVE-2014-6581", "CVE-2014-0015", "CVE-2015-0403", "CVE-2014-6570", "CVE-2015-0408", "CVE-2015-0429", "CVE-2014-6596", "CVE-2014-6521", "CVE-2015-0374", "CVE-2014-6591", "CVE-2014-6586", "CVE-2014-6524", "CVE-2014-6572", "CVE-2015-0370", "CVE-2015-0412", "CVE-2015-0400", "CVE-2015-0409", "CVE-2015-0387", "CVE-2015-0389", "CVE-2015-0399", "CVE-2014-0118", "CVE-2015-0415", "CVE-2014-6590", "CVE-2015-0376", "CVE-2014-6481", "CVE-2015-0393", "CVE-2015-0366", "CVE-2015-0419", "CVE-2014-6568", "CVE-2015-0377", "CVE-2015-0394", "CVE-2015-0397", "CVE-2015-0384", "CVE-2014-6589", "CVE-2014-1491", "CVE-2014-6528", "CVE-2014-6588", "CVE-2014-6541", "CVE-2011-1944", "CVE-2015-0437", "CVE-2014-6514", "CVE-2014-0117", "CVE-2014-4212", "CVE-2015-0436", "CVE-2014-6598", "CVE-2015-0367", "CVE-2014-0226", "CVE-2013-1620", "CVE-2013-4545", "CVE-2015-0426", "CVE-2015-0434", "CVE-2014-0221", "CVE-2015-0411", "CVE-2015-0381", "CVE-2014-6577"], "modified": "2015-01-20T00:00:00", "id": "ORACLE:CPUJAN2015-1972971", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}