ID SUSE-SA:2005:011 Type suse Reporter Suse Modified 2005-02-28T14:07:02
Description
infamous41md@xxxxxxxxxx reported a vulnerability in libcurl, the HTTP/FTP retrieval library. This library is used by lots of programs, including YaST2 and PHP4.
{"cve": [{"lastseen": "2019-05-29T18:08:13", "bulletinFamily": "NVD", "description": "Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.", "modified": "2017-10-11T01:29:00", "id": "CVE-2005-0490", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0490", "published": "2005-05-02T04:00:00", "title": "CVE-2005-0490", "type": "cve", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nVendor URL: http://curl.haxx.se/\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:048)\n[Vendor Specific Advisory URL](http://tech.f5.com/home/bigip/solutions/advisories/sol4447.html)\nSecurity Tracker: 1013253\n[Secunia Advisory ID:14364](https://secuniaresearch.flexerasoftware.com/advisories/14364/)\n[Secunia Advisory ID:14421](https://secuniaresearch.flexerasoftware.com/advisories/14421/)\n[Secunia Advisory ID:14845](https://secuniaresearch.flexerasoftware.com/advisories/14845/)\n[Secunia Advisory ID:14431](https://secuniaresearch.flexerasoftware.com/advisories/14431/)\n[Secunia Advisory ID:14619](https://secuniaresearch.flexerasoftware.com/advisories/14619/)\n[Secunia Advisory ID:15012](https://secuniaresearch.flexerasoftware.com/advisories/15012/)\n[Related OSVDB ID: 14034](https://vulners.com/osvdb/OSVDB:14034)\nOther Advisory URL: http://rhn.redhat.com/errata/RHSA-2005-340.html\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=202&type=vulnerabilities\nOther Advisory URL: http://www.ubuntulinux.org/support/documentation/usn/usn-86-1\nOther Advisory URL: http://www.novell.com/linux/security/advisories/2005_11_curl.html\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200503-20.xml\n[CVE-2005-0490](https://vulners.com/cve/CVE-2005-0490)\n", "modified": "2005-02-21T05:23:30", "published": "2005-02-21T05:23:30", "href": "https://vulners.com/osvdb/OSVDB:14033", "id": "OSVDB:14033", "type": "osvdb", "title": "cURL/libcURL NTLM Authentication Curl_input_ntlm() Function Overflow", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in cURL. cURL fails to verify the buffer lenght of base64 decoded values in Curl_krb_kauth and krb4_auth functions in Kerberos authentication resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Recompile cURL without Kerberos support.\n## Short Description\nA remote overflow exists in cURL. cURL fails to verify the buffer lenght of base64 decoded values in Curl_krb_kauth and krb4_auth functions in Kerberos authentication resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.\n## References:\nVendor URL: http://curl.haxx.se/\n[Vendor Specific Advisory URL](http://www.mandrakesoft.com/security/advisories?name=MDKSA-2005:048)\n[Vendor Specific Advisory URL](http://tech.f5.com/home/bigip/solutions/advisories/sol4447.html)\nSecurity Tracker: 1013253\n[Secunia Advisory ID:14364](https://secuniaresearch.flexerasoftware.com/advisories/14364/)\n[Secunia Advisory ID:14421](https://secuniaresearch.flexerasoftware.com/advisories/14421/)\n[Secunia Advisory ID:14845](https://secuniaresearch.flexerasoftware.com/advisories/14845/)\n[Secunia Advisory ID:14431](https://secuniaresearch.flexerasoftware.com/advisories/14431/)\n[Secunia Advisory ID:14619](https://secuniaresearch.flexerasoftware.com/advisories/14619/)\n[Secunia Advisory ID:15012](https://secuniaresearch.flexerasoftware.com/advisories/15012/)\n[Related OSVDB ID: 14033](https://vulners.com/osvdb/OSVDB:14033)\nOther Advisory URL: http://rhn.redhat.com/errata/RHSA-2005-340.html\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=203&type=vulnerabilities\nOther Advisory URL: http://www.ubuntulinux.org/support/documentation/usn/usn-86-1\nOther Advisory URL: http://www.novell.com/linux/security/advisories/2005_11_curl.html\nOther Advisory URL: http://security.gentoo.org/glsa/glsa-200503-20.xml\n[CVE-2005-0490](https://vulners.com/cve/CVE-2005-0490)\n", "modified": "2005-02-21T05:23:30", "published": "2005-02-21T05:23:30", "href": "https://vulners.com/osvdb/OSVDB:14034", "id": "OSVDB:14034", "type": "osvdb", "title": "cURL/libcURL Kerberos Authentication Multiple Function Overflows", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:27", "bulletinFamily": "unix", "description": "### Background\n\ncurl is a command line tool for transferring files via many different protocols. \n\n### Description\n\ncurl fails to properly check boundaries when handling NTLM authentication. \n\n### Impact\n\nWith a malicious server an attacker could send a carefully crafted NTLM response to a connecting client leading to the execution of arbitrary code with the permissions of the user running curl. \n\n### Workaround\n\nDisable NTLM authentication by not using the --anyauth or --ntlm options. \n\n### Resolution\n\nAll curl users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/curl-7.13.1\"", "modified": "2005-03-16T00:00:00", "published": "2005-03-16T00:00:00", "id": "GLSA-200503-20", "href": "https://security.gentoo.org/glsa/200503-20", "type": "gentoo", "title": "curl: NTLM response buffer overflow", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:06", "bulletinFamily": "scanner", "description": "The remote host is missing updates announced in\nadvisory GLSA 200503-20.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=54885", "id": "OPENVAS:54885", "title": "Gentoo Security Advisory GLSA 200503-20 (curl)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"curl is vulnerable to a buffer overflow which could lead to the execution\nof arbitrary code.\";\ntag_solution = \"All curl users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/curl-7.13.1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200503-20\nhttp://bugs.gentoo.org/show_bug.cgi?id=82534\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200503-20.\";\n\n \n\nif(description)\n{\n script_id(54885);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2005-0490\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200503-20 (curl)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-misc/curl\", unaffected: make_list(\"ge 7.13.1\"), vulnerable: make_list(\"lt 7.13.1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:14", "bulletinFamily": "scanner", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-16T00:00:00", "published": "2008-09-04T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=52171", "id": "OPENVAS:52171", "title": "FreeBSD Ports: curl", "type": "openvas", "sourceData": "#\n#VID 96df5fd0-8900-11d9-aa18-0001020eed82\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: curl\n\nCVE-2005-0490\nMultiple stack-based buffer overflows in libcURL and cURL 7.12.1, and\npossibly other versions, allow remote malicious web servers to execute\narbitrary code via base64 encoded replies that exceed the intended\nbuffer lengths when decoded, which is not properly handled by (1) the\nCurl_input_ntlm function in http_ntlm.c during NTLM authentication or\n(2) the Curl_krb_kauth and krb4_auth functions in krb4.c during\nKerberos authentication.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://marc.theaimsgroup.com/?l=bugtraq&m=110902850731457\nhttp://marc.theaimsgroup.com/?l=bugtraq&m=110902601221592\nhttp://www.vuxml.org/freebsd/96df5fd0-8900-11d9-aa18-0001020eed82.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52171);\n script_version(\"$Revision: 4078 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-16 07:34:17 +0200 (Fri, 16 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2005-0490\");\n script_bugtraq_id(12615,12616);\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: curl\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"curl\");\nif(!isnull(bver) && revcomp(a:bver, b:\"7.13.1\")<0) {\n txt += 'Package curl version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-26T08:56:11", "bulletinFamily": "scanner", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n curl-devel\n curl\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5012730 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-10-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=65299", "id": "OPENVAS:65299", "title": "SLES9: Security update for curl", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5012730.nasl 6666 2017-07-11 13:13:36Z cfischer $\n# Description: Security update for curl\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n curl-devel\n curl\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5012730 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_id(65299);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2005-0490\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"SLES9: Security update for curl\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"curl-devel\", rpm:\"curl-devel~7.11.0~39.4\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:40:11", "bulletinFamily": "scanner", "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n curl-devel\n curl\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5012730 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/", "modified": "2018-04-06T00:00:00", "published": "2009-10-10T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231065299", "id": "OPENVAS:136141256231065299", "type": "openvas", "title": "SLES9: Security update for curl", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: sles9p5012730.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Security update for curl\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n curl-devel\n curl\n\nFor more information, please visit the referenced security\nadvisories.\n\nMore details may also be found by searching for keyword\n5012730 within the SuSE Enterprise Server 9 patch\ndatabase at http://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n \nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.65299\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-10 16:11:46 +0200 (Sat, 10 Oct 2009)\");\n script_cve_id(\"CVE-2005-0490\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"SLES9: Security update for curl\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"curl-devel\", rpm:\"curl-devel~7.11.0~39.4\", rls:\"SLES9.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "centos": [{"lastseen": "2019-05-29T18:33:49", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2005:340-01\n\n\ncURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and\nDict servers, using any of the supported protocols. cURL is designed\nto work without user interaction or any kind of interactivity. \n\nMultiple buffer overflow bugs were found in the way curl processes base64\nencoded replies. If a victim can be tricked into visiting a URL with curl,\na malicious web server could execute arbitrary code on a victim's machine.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2005-0490 to this issue.\n\nAll users of curl are advised to upgrade to these updated\npackages, which contain backported fixes for these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-April/011547.html\n\n**Affected packages:**\ncurl\ncurl-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/rh21as-errata.html", "modified": "2005-04-06T04:59:36", "published": "2005-04-06T04:59:36", "href": "http://lists.centos.org/pipermail/centos-announce/2005-April/011547.html", "id": "CESA-2005:340-01", "title": "curl security update", "type": "centos", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:48", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2005:340\n\n\ncURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and\nDict servers, using any of the supported protocols. cURL is designed\nto work without user interaction or any kind of interactivity. \n\nMultiple buffer overflow bugs were found in the way curl processes base64\nencoded replies. If a victim can be tricked into visiting a URL with curl,\na malicious web server could execute arbitrary code on a victim's machine.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2005-0490 to this issue.\n\nAll users of curl are advised to upgrade to these updated\npackages, which contain backported fixes for these issues.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2005-April/011531.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-April/011532.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-April/011538.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-April/011542.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-April/011543.html\nhttp://lists.centos.org/pipermail/centos-announce/2005-April/011545.html\n\n**Affected packages:**\ncurl\ncurl-devel\n\n**Upstream details at:**\n\nhttps://rhn.redhat.com/errata/RHSA-2005-340.html", "modified": "2005-04-06T02:46:57", "published": "2005-04-05T21:59:11", "href": "http://lists.centos.org/pipermail/centos-announce/2005-April/011531.html", "id": "CESA-2005:340", "title": "curl security update", "type": "centos", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2019-05-29T17:23:36", "bulletinFamily": "unix", "description": "infamous41md discovered a buffer overflow in cURL\u2019s NT LAN Manager (NTLM) authentication handling. By sending a specially crafted long NTLM reply packet, a remote attacker could overflow the reply buffer. This could lead to execution of arbitrary attacker specified code with the privileges of the application using the cURL library.", "modified": "2005-02-28T00:00:00", "published": "2005-02-28T00:00:00", "id": "USN-86-1", "href": "https://usn.ubuntu.com/86-1/", "title": "cURL vulnerability", "type": "ubuntu", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:46:44", "bulletinFamily": "unix", "description": "cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and\nDict servers, using any of the supported protocols. cURL is designed\nto work without user interaction or any kind of interactivity. \n\nMultiple buffer overflow bugs were found in the way curl processes base64\nencoded replies. If a victim can be tricked into visiting a URL with curl,\na malicious web server could execute arbitrary code on a victim's machine.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2005-0490 to this issue.\n\nAll users of curl are advised to upgrade to these updated\npackages, which contain backported fixes for these issues.", "modified": "2018-03-14T19:27:22", "published": "2005-04-05T04:00:00", "id": "RHSA-2005:340", "href": "https://access.redhat.com/errata/RHSA-2005:340", "type": "redhat", "title": "(RHSA-2005:340) curl security update", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-12-13T07:33:16", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-200503-20\n(curl: NTLM response buffer overflow)\n\n curl fails to properly check boundaries when handling NTLM\n authentication.\n \nImpact :\n\n With a malicious server an attacker could send a carefully crafted\n NTLM response to a connecting client leading to the execution of\n arbitrary code with the permissions of the user running curl.\n \nWorkaround :\n\n Disable NTLM authentication by not using the --anyauth or --ntlm\n options.", "modified": "2019-12-02T00:00:00", "id": "GENTOO_GLSA-200503-20.NASL", "href": "https://www.tenable.com/plugins/nessus/17345", "published": "2005-03-17T00:00:00", "title": "GLSA-200503-20 : curl: NTLM response buffer overflow", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200503-20.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17345);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/08/02 13:32:42\");\n\n script_cve_id(\"CVE-2005-0490\");\n script_xref(name:\"GLSA\", value:\"200503-20\");\n\n script_name(english:\"GLSA-200503-20 : curl: NTLM response buffer overflow\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200503-20\n(curl: NTLM response buffer overflow)\n\n curl fails to properly check boundaries when handling NTLM\n authentication.\n \nImpact :\n\n With a malicious server an attacker could send a carefully crafted\n NTLM response to a connecting client leading to the execution of\n arbitrary code with the permissions of the user running curl.\n \nWorkaround :\n\n Disable NTLM authentication by not using the --anyauth or --ntlm\n options.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200503-20\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All curl users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/curl-7.13.1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/03/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/03/17\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/02/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/curl\", unaffected:make_list(\"ge 7.13.1\"), vulnerable:make_list(\"lt 7.13.1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T09:57:20", "bulletinFamily": "scanner", "description": "infamous41md discovered a buffer overflow in cURL", "modified": "2019-12-02T00:00:00", "id": "UBUNTU_USN-86-1.NASL", "href": "https://www.tenable.com/plugins/nessus/20711", "published": "2006-01-15T00:00:00", "title": "Ubuntu 4.10 : curl vulnerability (USN-86-1)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-86-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20711);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2019/08/02 13:33:00\");\n\n script_cve_id(\"CVE-2005-0490\");\n script_xref(name:\"USN\", value:\"86-1\");\n\n script_name(english:\"Ubuntu 4.10 : curl vulnerability (USN-86-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"infamous41md discovered a buffer overflow in cURL's NT LAN Manager\n(NTLM) authentication handling. By sending a specially crafted long\nNTLM reply packet, a remote attacker could overflow the reply buffer.\nThis could lead to execution of arbitrary attacker specified code with\nthe privileges of the application using the cURL library.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libcurl2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libcurl2-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libcurl2-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libcurl2-gssapi\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:4.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/01/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(4\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 4.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"4.10\", pkgname:\"curl\", pkgver:\"7.12.0.is.7.11.2-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"libcurl2\", pkgver:\"7.12.0.is.7.11.2-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"libcurl2-dbg\", pkgver:\"7.12.0.is.7.11.2-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"libcurl2-dev\", pkgver:\"7.12.0.is.7.11.2-1ubuntu0.1\")) flag++;\nif (ubuntu_check(osver:\"4.10\", pkgname:\"libcurl2-gssapi\", pkgver:\"7.12.0.is.7.11.2-1ubuntu0.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl / libcurl2 / libcurl2-dbg / libcurl2-dev / libcurl2-gssapi\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T08:05:27", "bulletinFamily": "scanner", "description": "'infamous41md", "modified": "2019-12-02T00:00:00", "id": "MANDRAKE_MDKSA-2005-048.NASL", "href": "https://www.tenable.com/plugins/nessus/17277", "published": "2005-03-06T00:00:00", "title": "Mandrake Linux Security Advisory : curl (MDKSA-2005:048)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2005:048. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17277);\n script_version (\"1.17\");\n script_cvs_date(\"Date: 2019/08/02 13:32:47\");\n\n script_cve_id(\"CVE-2005-0490\");\n script_xref(name:\"MDKSA\", value:\"2005:048\");\n\n script_name(english:\"Mandrake Linux Security Advisory : curl (MDKSA-2005:048)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"'infamous41md' discovered a buffer overflow vulnerability in libcurl's\nNTLM authorization base64 decoding. This could allow a remote attacker\nusing a prepared remote server to execute arbitrary code as the user\nrunning curl.\n\nThe updated packages are patched to deal with these issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64curl2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64curl2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64curl3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64curl3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libcurl2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libcurl2-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libcurl3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libcurl3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:10.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/03/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK10.0\", reference:\"curl-7.11.0-2.1.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"amd64\", reference:\"lib64curl2-7.11.0-2.1.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"amd64\", reference:\"lib64curl2-devel-7.11.0-2.1.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"libcurl2-7.11.0-2.1.100mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.0\", cpu:\"i386\", reference:\"libcurl2-devel-7.11.0-2.1.100mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK10.1\", reference:\"curl-7.12.1-1.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", cpu:\"x86_64\", reference:\"lib64curl3-7.12.1-1.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", cpu:\"x86_64\", reference:\"lib64curl3-devel-7.12.1-1.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", cpu:\"i386\", reference:\"libcurl3-7.12.1-1.1.101mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK10.1\", cpu:\"i386\", reference:\"libcurl3-devel-7.12.1-1.1.101mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T06:40:49", "bulletinFamily": "scanner", "description": "Updated curl packages are now available.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\ncURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and\nDict servers, using any of the supported protocols. cURL is designed\nto work without user interaction or any kind of interactivity.\n\nMultiple buffer overflow bugs were found in the way curl processes\nbase64 encoded replies. If a victim can be tricked into visiting a URL\nwith curl, a malicious web server could execute arbitrary code on a\nvictim", "modified": "2019-12-02T00:00:00", "id": "CENTOS_RHSA-2005-340.NASL", "href": "https://www.tenable.com/plugins/nessus/21805", "published": "2006-07-03T00:00:00", "title": "CentOS 3 / 4 : curl (CESA-2005:340)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2005:340 and \n# CentOS Errata and Security Advisory 2005:340 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21805);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2019/10/25 13:36:02\");\n\n script_cve_id(\"CVE-2005-0490\");\n script_xref(name:\"RHSA\", value:\"2005:340\");\n\n script_name(english:\"CentOS 3 / 4 : curl (CESA-2005:340)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated curl packages are now available.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\ncURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and\nDict servers, using any of the supported protocols. cURL is designed\nto work without user interaction or any kind of interactivity.\n\nMultiple buffer overflow bugs were found in the way curl processes\nbase64 encoded replies. If a victim can be tricked into visiting a URL\nwith curl, a malicious web server could execute arbitrary code on a\nvictim's machine. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2005-0490 to this issue.\n\nAll users of curl are advised to upgrade to these updated packages,\nwhich contain backported fixes for these issues.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-April/011531.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c54131bf\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-April/011532.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4c182953\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-April/011538.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a912cddc\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-April/011542.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3d96c6e9\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2005-April/011545.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?290c9f49\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected curl packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:curl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/05/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/04/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/07/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(3|4)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 3.x / 4.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-3\", reference:\"curl-7.10.6-6.rhel3\")) flag++;\nif (rpm_check(release:\"CentOS-3\", reference:\"curl-devel-7.10.6-6.rhel3\")) flag++;\n\nif (rpm_check(release:\"CentOS-4\", reference:\"curl-7.12.1-5.rhel4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", reference:\"curl-devel-7.12.1-5.rhel4\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl / curl-devel\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T08:52:35", "bulletinFamily": "scanner", "description": "Updated curl packages are now available.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\ncURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and\nDict servers, using any of the supported protocols. cURL is designed\nto work without user interaction or any kind of interactivity.\n\nMultiple buffer overflow bugs were found in the way curl processes\nbase64 encoded replies. If a victim can be tricked into visiting a URL\nwith curl, a malicious web server could execute arbitrary code on a\nvictim", "modified": "2019-12-02T00:00:00", "id": "REDHAT-RHSA-2005-340.NASL", "href": "https://www.tenable.com/plugins/nessus/17979", "published": "2005-04-06T00:00:00", "title": "RHEL 2.1 / 3 / 4 : curl (RHSA-2005:340)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2005:340. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17979);\n script_version (\"1.25\");\n script_cvs_date(\"Date: 2019/10/25 13:36:11\");\n\n script_cve_id(\"CVE-2005-0490\");\n script_xref(name:\"RHSA\", value:\"2005:340\");\n\n script_name(english:\"RHEL 2.1 / 3 / 4 : curl (RHSA-2005:340)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated curl packages are now available.\n\nThis update has been rated as having low security impact by the Red\nHat Security Response Team.\n\ncURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and\nDict servers, using any of the supported protocols. cURL is designed\nto work without user interaction or any kind of interactivity.\n\nMultiple buffer overflow bugs were found in the way curl processes\nbase64 encoded replies. If a victim can be tricked into visiting a URL\nwith curl, a malicious web server could execute arbitrary code on a\nvictim's machine. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2005-0490 to this issue.\n\nAll users of curl are advised to upgrade to these updated packages,\nwhich contain backported fixes for these issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2005-0490\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2005:340\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected curl and / or curl-devel packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:curl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/05/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/04/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/04/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(2\\.1|3|4)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1 / 3.x / 4.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2005:340\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"curl-7.8-2.rhel2\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"curl-devel-7.8-2.rhel2\")) flag++;\n\n if (rpm_check(release:\"RHEL3\", reference:\"curl-7.10.6-6.rhel3\")) flag++;\n if (rpm_check(release:\"RHEL3\", reference:\"curl-devel-7.10.6-6.rhel3\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", reference:\"curl-7.12.1-5.rhel4\")) flag++;\n if (rpm_check(release:\"RHEL4\", reference:\"curl-devel-7.12.1-5.rhel4\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"curl / curl-devel\");\n }\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:02:44", "bulletinFamily": "scanner", "description": "Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and\npossibly other versions, allow remote malicious web servers to execute\narbitrary code via base64 encoded replies that exceed the intended\nbuffer lengths when decoded, which is not properly handled by (1) the\nCurl_input_ntlm function in http_ntlm.c during NTLM authentication or\n(2) the Curl_krb_kauth and krb4_auth functions in krb4.c during\nKerberos authentication.", "modified": "2019-12-02T00:00:00", "id": "F5_BIGIP_SOL4447.NASL", "href": "https://www.tenable.com/plugins/nessus/78203", "published": "2014-10-10T00:00:00", "title": "F5 Networks BIG-IP : cURL buffer overflow vulnerability (SOL4447)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution SOL4447.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78203);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/10/25 13:36:06\");\n\n script_cve_id(\"CVE-2005-0490\");\n\n script_name(english:\"F5 Networks BIG-IP : cURL buffer overflow vulnerability (SOL4447)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and\npossibly other versions, allow remote malicious web servers to execute\narbitrary code via base64 encoded replies that exceed the intended\nbuffer lengths when decoded, which is not properly handled by (1) the\nCurl_input_ntlm function in http_ntlm.c during NTLM authentication or\n(2) the Curl_krb_kauth and krb4_auth functions in krb4.c during\nKerberos authentication.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K4447\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution SOL4447.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/05/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"SOL4447\";\nvmatrix = make_array();\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"9.0.0-9.0.5\",\"9.1.0-9.1.2\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"9.2\",\"9.3\",\"9.4\",\"9.6\",\"10\",\"11\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running the affected module LTM\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T07:30:57", "bulletinFamily": "scanner", "description": "Two iDEFENSE Security Advisories reports :\n\nAn exploitable stack-based buffer overflow condition exists when using\nNT Lan Manager (NTLM) authentication. The problem specifically exists\nwithin Curl_input_ntlm() defined in lib/http_ntlm.c.\n\nSuccessful exploitation allows remote attackers to execute arbitrary\ncode under the privileges of the target user. Exploitation requires\nthat an attacker either coerce or force a target to connect to a\nmalicious server using NTLM authentication.\n\nAn exploitable stack-based buffer overflow condition exists when using\nKerberos authentication. The problem specifically exists within the\nfunctions Curl_krb_kauth() and krb4_auth() defined in lib/krb4.c.\n\nSuccessful exploitation allows remote attackers to execute arbitrary\ncode under the privileges of the target user. Exploitation requires\nthat an attacker either coerce or force a target to connect to a\nmalicious server using Kerberos authentication.", "modified": "2019-12-02T00:00:00", "id": "FREEBSD_PKG_96DF5FD0890011D9AA180001020EED82.NASL", "href": "https://www.tenable.com/plugins/nessus/19038", "published": "2005-07-13T00:00:00", "title": "FreeBSD : curl -- authentication buffer overflow vulnerability (96df5fd0-8900-11d9-aa18-0001020eed82)", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19038);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2019/08/02 13:32:37\");\n\n script_cve_id(\"CVE-2005-0490\");\n script_bugtraq_id(12615, 12616);\n\n script_name(english:\"FreeBSD : curl -- authentication buffer overflow vulnerability (96df5fd0-8900-11d9-aa18-0001020eed82)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Two iDEFENSE Security Advisories reports :\n\nAn exploitable stack-based buffer overflow condition exists when using\nNT Lan Manager (NTLM) authentication. The problem specifically exists\nwithin Curl_input_ntlm() defined in lib/http_ntlm.c.\n\nSuccessful exploitation allows remote attackers to execute arbitrary\ncode under the privileges of the target user. Exploitation requires\nthat an attacker either coerce or force a target to connect to a\nmalicious server using NTLM authentication.\n\nAn exploitable stack-based buffer overflow condition exists when using\nKerberos authentication. The problem specifically exists within the\nfunctions Curl_krb_kauth() and krb4_auth() defined in lib/krb4.c.\n\nSuccessful exploitation allows remote attackers to execute arbitrary\ncode under the privileges of the target user. Exploitation requires\nthat an attacker either coerce or force a target to connect to a\nmalicious server using Kerberos authentication.\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=110902850731457\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=bugtraq&m=110902850731457\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=110902601221592\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=bugtraq&m=110902601221592\"\n );\n # https://vuxml.freebsd.org/freebsd/96df5fd0-8900-11d9-aa18-0001020eed82.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?adece2d7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:curl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/12/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/02/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"curl<7.13.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-13T09:21:44", "bulletinFamily": "scanner", "description": "The remote host is missing the patch for the advisory SUSE-SA:2005:011 (curl).\n\n\ninfamous41md@hotpop.com reported a vulnerability in libcurl, the\nHTTP/FTP retrieval library. This library is used by lots of programs,\nincluding YaST2 and PHP4.\n\nThe NTLM authorization in curl had a buffer overflow in the base64\ndecoding which allows a remote attacker using a prepared remote\nserver to execute code for the user using curl.\n\nThe Kerberos authorization has a similar bug, but is not compiled\nin on SUSE Linux.\n\nThis is tracked by the Mitre CVE ID CVE-2005-0490.", "modified": "2019-12-02T00:00:00", "id": "SUSE_SA_2005_011.NASL", "href": "https://www.tenable.com/plugins/nessus/17238", "published": "2005-03-01T00:00:00", "title": "SUSE-SA:2005:011: curl", "type": "nessus", "sourceData": "#%NASL_MIN_LEVEL 80502\n#\n# (C) Tenable Network Security, Inc.\n#\n# This plugin text was extracted from SuSE Security Advisory SUSE-SA:2005:011\n#\n\n\nif ( ! defined_func(\"bn_random\") ) exit(0);\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(17238);\n script_version (\"1.10\");\n script_cve_id(\"CVE-2005-0490\");\n \n name[\"english\"] = \"SUSE-SA:2005:011: curl\";\n \n script_name(english:name[\"english\"]);\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a vendor-supplied security patch\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is missing the patch for the advisory SUSE-SA:2005:011 (curl).\n\n\ninfamous41md@hotpop.com reported a vulnerability in libcurl, the\nHTTP/FTP retrieval library. This library is used by lots of programs,\nincluding YaST2 and PHP4.\n\nThe NTLM authorization in curl had a buffer overflow in the base64\ndecoding which allows a remote attacker using a prepared remote\nserver to execute code for the user using curl.\n\nThe Kerberos authorization has a similar bug, but is not compiled\nin on SUSE Linux.\n\nThis is tracked by the Mitre CVE ID CVE-2005-0490.\" );\n script_set_attribute(attribute:\"solution\", value:\n\"http://www.suse.de/security/advisories/2005_11_curl.html\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/03/01\");\n script_cvs_date(\"Date: 2019/10/25 13:36:28\");\n script_end_attributes();\n\n \n summary[\"english\"] = \"Check for the version of the curl package\";\n script_summary(english:summary[\"english\"]);\n \n script_category(ACT_GATHER_INFO);\n \n script_copyright(english:\"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.\");\n family[\"english\"] = \"SuSE Local Security Checks\";\n script_family(english:family[\"english\"]);\n \n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/SuSE/rpm-list\");\n exit(0);\n}\n\ninclude(\"rpm.inc\");\nif ( rpm_check( reference:\"curl-7.11.0-39.4\", release:\"SUSE9.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"curl-devel-7.11.0-39.4\", release:\"SUSE9.1\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"curl-7.12.0-2.2\", release:\"SUSE9.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif ( rpm_check( reference:\"curl-devel-7.12.0-2.2\", release:\"SUSE9.2\") )\n{\n security_warning(0);\n exit(0);\n}\nif (rpm_exists(rpm:\"curl-\", release:\"SUSE9.1\")\n || rpm_exists(rpm:\"curl-\", release:\"SUSE9.2\") )\n{\n set_kb_item(name:\"CVE-2005-0490\", value:TRUE);\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:35:01", "bulletinFamily": "unix", "description": "\nTwo iDEFENSE Security Advisories reports:\n\nAn exploitable stack-based buffer overflow condition\n\t exists when using NT Lan Manager (NTLM)\n\t authentication. The problem specifically exists within\n\t Curl_input_ntlm() defined in\n\t lib/http_ntlm.c.\nSuccessful exploitation allows remote attackers to\n\t execute arbitrary code under the privileges of the target\n\t user. Exploitation requires that an attacker either coerce\n\t or force a target to connect to a malicious server using\n\t NTLM authentication.\n\n\nAn exploitable stack-based buffer overflow condition\n\t exists when using Kerberos authentication. The problem\n\t specifically exists within the functions\n\t Curl_krb_kauth() and krb4_auth()\n\t defined in lib/krb4.c.\nSuccessful exploitation allows remote attackers to\n\t execute arbitrary code under the privileges of the target\n\t user. Exploitation requires that an attacker either coerce\n\t or force a target to connect to a malicious server using\n\t Kerberos authentication.\n\n", "modified": "2004-12-21T00:00:00", "published": "2004-12-21T00:00:00", "id": "96DF5FD0-8900-11D9-AA18-0001020EED82", "href": "https://vuxml.freebsd.org/freebsd/96df5fd0-8900-11d9-aa18-0001020eed82.html", "title": "curl -- authentication buffer overflow vulnerability", "type": "freebsd", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2016-09-26T17:22:59", "bulletinFamily": "software", "description": "Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.\n\nInformation about this advisory is available at the following location:\n\n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490>\n\nF5 Networks Product Development tracked this issue as CR46925, CR46931, and CR46932 and it was fixed in BBIG-IP version 9.2.\n", "modified": "2013-03-28T00:00:00", "published": "2007-05-16T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/4000/400/sol4447.html", "id": "SOL4447", "title": "SOL4447 - cURL buffer overflow vulnerability - CAN-2005-0490", "type": "f5", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-07T08:21:19", "bulletinFamily": "software", "description": "", "modified": "2017-10-03T22:34:00", "published": "2007-05-17T04:00:00", "id": "F5:K4447", "href": "https://support.f5.com/csp/article/K4447", "title": "cURL buffer overflow vulnerability CAN-2005-0490", "type": "f5", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
