Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
TitlecURL: Multiple vulnerabilities
Informations
NameGLSA-201203-02First vendor Publication2012-03-06
VendorGentooLast vendor Modification2012-03-06
Severity (Vendor) NormalRevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score7.5Attack RangeNetwork
Cvss Impact Score6.4Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities have been found in cURL, the worst of which might allow remote execution of arbitrary code.

Background

cURL is a command line tool for transferring files with URL syntax, supporting numerous protocols.

Description

Multiple vulnerabilities have been found in cURL:

* When zlib is enabled, the amount of data sent to an application for automatic decompression is not restricted (CVE-2010-0734).
* When performing GSSAPI authentication, credential delegation is always used (CVE-2011-2192).
* When SSL is enabled, cURL improperly disables the OpenSSL workaround to mitigate an information disclosure vulnerability in the SSL and TLS protocols (CVE-2011-3389).
* libcurl does not properly verify file paths for escape control characters in IMAP, POP3 or SMTP URLs (CVE-2012-0036).

Impact

A remote attacker could entice a user or automated process to open a specially crafted file or URL using cURL, possibly resulting in the remote execution of arbitrary code, a Denial of Service condition, disclosure of sensitive information, or unwanted actions performed via the IMAP, POP3 or SMTP protocols. Furthermore, remote servers may be able to impersonate clients via GSSAPI requests.

Workaround

There is no known workaround at this time.

Resolution

All cURL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/curl-7.24.0"

References

[ 1 ] CVE-2010-0734 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0734
[ 2 ] CVE-2011-2192 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2192
[ 3 ] CVE-2011-3389 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389
[ 4 ] CVE-2012-0036 : http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0036

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201203-02.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-201203-02.xml

CWE : Common Weakness Enumeration

idName
CWE-264Permissions, Privileges, and Access Controls
CWE-255Credentials Management
CWE-89Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25)
CWE-20Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:6756
 
Oval ID: oval:org.mitre.oval:def:6756
Title: VMware ESX, Service Console update for cURL.
Description: content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.
Family: unix Class: vulnerability
Reference(s): CVE-2010-0734
Version: 5
Platform(s): VMWare ESX Server 4.0
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6701
 
Oval ID: oval:org.mitre.oval:def:6701
Title: DSA-2023 curl -- buffer overflow
Description: Wesley Miaw discovered that libcurl, a multi-protocol file transfer library, is prone to a buffer overflow via the callback function when an application relies on libcurl to automatically uncompress data. Note that this only affects applications that trust libcurl’s maximum limit for a fixed buffer size and do not perform any sanity checks themselves.
Family: unix Class: patch
Reference(s): DSA-2023
CVE-2010-0734
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22172
 
Oval ID: oval:org.mitre.oval:def:22172
Title: RHSA-2010:0273: curl security, bug fix and enhancement update (Moderate)
Description: content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.
Family: unix Class: patch
Reference(s): RHSA-2010:0273-05
CVE-2010-0734
Version: 4
Platform(s): Red Hat Enterprise Linux 5
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13495
 
Oval ID: oval:org.mitre.oval:def:13495
Title: DSA-2023-1 curl -- buffer overflow
Description: Wesley Miaw discovered that libcurl, a multi-protocol file transfer library, is prone to a buffer overflow via the callback function when an application relies on libcurl to automatically uncompress data. Note that this only affects applications that trust libcurl’s maximum limit for a fixed buffer size and do not perform any sanity checks themselves. For the stable distribution, this problem has been fixed in version 7.18.2-8lenny4. Due to a problem with the archive software, we are unable to release all architectures simultaneously. Binaries for the hppa, ia64, mips, mipsel and s390 architectures will be provided once they are available. For the testing distribution and the unstable distribution, this problem has been fixed in version 7.20.0-1. We recommend that you upgrade your curl packages.
Family: unix Class: patch
Reference(s): DSA-2023-1
CVE-2010-0734
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10760
 
Oval ID: oval:org.mitre.oval:def:10760
Title: content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.
Description: content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.
Family: unix Class: vulnerability
Reference(s): CVE-2010-0734
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23020
 
Oval ID: oval:org.mitre.oval:def:23020
Title: ELSA-2010:0273: curl security, bug fix and enhancement update (Moderate)
Description: content_encoding.c in libcurl 7.10.5 through 7.19.7, when zlib is enabled, does not properly restrict the amount of callback data sent to an application that requests automatic decompression, which might allow remote attackers to cause a denial of service (application crash) or have unspecified other impact by sending crafted compressed data to an application that relies on the intended data-length limit.
Family: unix Class: patch
Reference(s): ELSA-2010:0273-05
CVE-2010-0734
Version: 6
Platform(s): Oracle Linux 5
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28141
 
Oval ID: oval:org.mitre.oval:def:28141
Title: ELSA-2010-0273 -- curl security, bug fix and enhancement update (moderate)
Description: [7.15.5-9] - http://curl.haxx.se/docs/adv_20100209.html (#565408) [7.15.5-8] - mention lack of IPv6, FTPS and LDAP support while using a socks proxy (#473128) - avoid tight loop if an upload connection is broken (#479967) - add options --ftp-account and --ftp-alternative-to-user to program help (#517084) - fix crash when reusing connection after negotiate-auth (#517199) - support for CRL loading from a PEM file (#532069) [7.15.5-7] - sync patch for CVE-2007-0037 with 5.3.Z Related: #485290 [7.15.5-6] - fix CVE-2009-2417 Resolves: #516258 [7.15.5-5] - forwardport one hunk from upstream curl-7.15.1 Related: #485290 [7.15.5-4] - fix hunk applied to wrong place due to nonzero patch fuzz Related: #485290 [7.15.5-3] - fix CVE-2007-0037 Resolves: #485290
Family: unix Class: patch
Reference(s): ELSA-2010-0273
CVE-2010-0734
Version: 1
Platform(s): Oracle Linux 5
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21913
 
Oval ID: oval:org.mitre.oval:def:21913
Title: RHSA-2011:0918: curl security update (Moderate)
Description: The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.
Family: unix Class: patch
Reference(s): RHSA-2011:0918-01
CVE-2011-2192
Version: 4
Platform(s): Red Hat Enterprise Linux 6
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20630
 
Oval ID: oval:org.mitre.oval:def:20630
Title: VMware ESXi and ESX updates to third party library and ESX Service Console
Description: The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.
Family: unix Class: vulnerability
Reference(s): CVE-2011-2192
Version: 4
Platform(s): VMWare ESX Server 4.1
VMWare ESX Server 4.0
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13004
 
Oval ID: oval:org.mitre.oval:def:13004
Title: DSA-2271-1 curl -- improper delegation of client credentials
Description: Richard Silverman discovered that when doing GSSAPI authentication, libcurl unconditionally performs credential delegation. This hands the server a copy of the client's security credentials, allowing the server to impersonate the client to any other using the same GSSAPI mechanism. This is obviously a very sensitive operation, which should only be done when the user explicitly so directs.
Family: unix Class: patch
Reference(s): DSA-2271-1
CVE-2011-2192
Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23218
 
Oval ID: oval:org.mitre.oval:def:23218
Title: ELSA-2011:0918: curl security update (Moderate)
Description: The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.
Family: unix Class: patch
Reference(s): ELSA-2011:0918-01
CVE-2011-2192
Version: 6
Platform(s): Oracle Linux 6
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19673
 
Oval ID: oval:org.mitre.oval:def:19673
Title: HP-UX Running Java JRE and JDK, Remote Denial of Service (DoS), Unauthorized Modification and Disclosure of Information
Description: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Family: unix Class: vulnerability
Reference(s): CVE-2011-3389
Version: 6
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15241
 
Oval ID: oval:org.mitre.oval:def:15241
Title: DSA-2368-1 lighttpd -- multiple
Description: Several vulnerabilities have been discovered in lighttpd, a small and fast webserver with minimal memory footprint. CVE-2011-4362 Xi Wang discovered that the base64 decoding routine which is used to decode user input during an HTTP authentication, suffers of a signedness issue when processing user input. As a result it is possible to force lighttpd to perform an out-of-bounds read which results in Denial of Service conditions. CVE-2011-3389 When using CBC ciphers on an SSL enabled virtual host to communicate with certain client, a so called "BEAST" attack allows man-in-the-middle attackers to obtain plaintext HTTP traffic via a blockwise chosen-boundary attack on an HTTPS session. Technically this is no lighttpd vulnerability. However, lighttpd offers a workaround to mitigate this problem by providing a possibility to disable CBC ciphers. This updates includes this option by default. System administrators are advised to read the NEWS file of this update.
Family: unix Class: patch
Reference(s): DSA-2368-1
CVE-2011-4362
CVE-2011-3389
Version: 7
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): lighttpd
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14752
 
Oval ID: oval:org.mitre.oval:def:14752
Title: SSL and TLS Protocols Vulnerability
Description: The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Family: windows Class: vulnerability
Reference(s): CVE-2011-3389
Version: 7
Platform(s): Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows 7
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15005
 
Oval ID: oval:org.mitre.oval:def:15005
Title: DSA-2398-1 curl -- several
Description: Several vulnerabilities have been discovered in Curl, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-3389 This update enables OpenSSL workarounds against the "BEAST" attack
Family: unix Class: patch
Reference(s): DSA-2398-1
CVE-2011-3389
CVE-2012-0036
Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15001
 
Oval ID: oval:org.mitre.oval:def:15001
Title: USN-1346-1 -- curl vulnerability
Description: curl: HTTP, HTTPS, and FTP client and client libraries curl could be tricked into injecting arbitrary data if it handled a malicious URL.
Family: unix Class: patch
Reference(s): USN-1346-1
CVE-2012-0036
Version: 5
Platform(s): Ubuntu 11.04
Ubuntu 11.10
Ubuntu 10.10
Product(s): curl
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application14
Application48
Application1
Application1
Application1
Application1
Os1

OpenVAS Exploits

DateDescription
2012-10-19Name : Fedora Update for java-1.6.0-openjdk FEDORA-2012-16351
File : nvt/gb_fedora_2012_16351_java-1.6.0-openjdk_fc16.nasl
2012-10-19Name : Fedora Update for java-1.7.0-openjdk FEDORA-2012-16351
File : nvt/gb_fedora_2012_16351_java-1.7.0-openjdk_fc16.nasl
2012-09-25Name : Mac OS X v10.6.8 Multiple Vulnerabilities (2012-004)
File : nvt/gb_macosx_su12-004.nasl
2012-09-22Name : Fedora Update for java-1.6.0-openjdk FEDORA-2012-13127
File : nvt/gb_fedora_2012_13127_java-1.6.0-openjdk_fc16.nasl
2012-09-04Name : Mandriva Update for fetchmail MDVSA-2012:149 (fetchmail)
File : nvt/gb_mandriva_MDVSA_2012_149.nasl
2012-09-04Name : Fedora Update for java-1.7.0-openjdk FEDORA-2012-13138
File : nvt/gb_fedora_2012_13138_java-1.7.0-openjdk_fc16.nasl
2012-08-30Name : FreeBSD Ports: fetchmail
File : nvt/freebsd_fetchmail16.nasl
2012-08-30Name : Fedora Update for python3 FEDORA-2012-5785
File : nvt/gb_fedora_2012_5785_python3_fc17.nasl
2012-08-30Name : Fedora Update for python-docs FEDORA-2012-5892
File : nvt/gb_fedora_2012_5892_python-docs_fc17.nasl
2012-08-30Name : Fedora Update for python FEDORA-2012-5892
File : nvt/gb_fedora_2012_5892_python_fc17.nasl
2012-08-03Name : Mandriva Update for curl MDVSA-2012:058 (curl)
File : nvt/gb_mandriva_MDVSA_2012_058.nasl
2012-07-30Name : CentOS Update for firefox CESA-2012:1088 centos5
File : nvt/gb_CESA-2012_1088_firefox_centos5.nasl
2012-07-30Name : CentOS Update for firefox CESA-2012:1088 centos6
File : nvt/gb_CESA-2012_1088_firefox_centos6.nasl
2012-07-30Name : CentOS Update for thunderbird CESA-2012:1089 centos5
File : nvt/gb_CESA-2012_1089_thunderbird_centos5.nasl
2012-07-30Name : CentOS Update for thunderbird CESA-2012:1089 centos6
File : nvt/gb_CESA-2012_1089_thunderbird_centos6.nasl
2012-07-30Name : CentOS Update for java CESA-2011:1380 centos5 x86_64
File : nvt/gb_CESA-2011_1380_java_centos5_x86_64.nasl
2012-07-30Name : CentOS Update for curl CESA-2011:0918 centos4 x86_64
File : nvt/gb_CESA-2011_0918_curl_centos4_x86_64.nasl
2012-07-30Name : CentOS Update for curl CESA-2011:0918 centos5 x86_64
File : nvt/gb_CESA-2011_0918_curl_centos5_x86_64.nasl
2012-07-19Name : RedHat Update for firefox RHSA-2012:1088-01
File : nvt/gb_RHSA-2012_1088-01_firefox.nasl
2012-07-19Name : RedHat Update for thunderbird RHSA-2012:1089-01
File : nvt/gb_RHSA-2012_1089-01_thunderbird.nasl
2012-06-22Name : Mandriva Update for python MDVSA-2012:096 (python)
File : nvt/gb_mandriva_MDVSA_2012_096.nasl
2012-06-22Name : Mandriva Update for python MDVSA-2012:097 (python)
File : nvt/gb_mandriva_MDVSA_2012_097.nasl
2012-06-22Name : Fedora Update for python3 FEDORA-2012-9135
File : nvt/gb_fedora_2012_9135_python3_fc16.nasl
2012-06-19Name : Fedora Update for java-1.6.0-openjdk FEDORA-2012-9541
File : nvt/gb_fedora_2012_9541_java-1.6.0-openjdk_fc15.nasl
2012-06-19Name : Fedora Update for java-1.6.0-openjdk FEDORA-2012-9545
File : nvt/gb_fedora_2012_9545_java-1.6.0-openjdk_fc16.nasl
2012-06-19Name : Fedora Update for java-1.7.0-openjdk FEDORA-2012-9593
File : nvt/gb_fedora_2012_9593_java-1.7.0-openjdk_fc16.nasl
2012-05-18Name : Mac OS X Multiple Vulnerabilities (2012-002)
File : nvt/gb_macosx_su12-002.nasl
2012-05-08Name : Fedora Update for python-docs FEDORA-2012-5924
File : nvt/gb_fedora_2012_5924_python-docs_fc16.nasl
2012-05-08Name : Fedora Update for python FEDORA-2012-5924
File : nvt/gb_fedora_2012_5924_python_fc16.nasl
2012-05-04Name : Fedora Update for python3 FEDORA-2012-5916
File : nvt/gb_fedora_2012_5916_python3_fc15.nasl
2012-04-30Name : Debian Security Advisory DSA 2398-2 (curl)
File : nvt/deb_2398_2.nasl
2012-04-06Name : Opera Extended Validation Information Disclosure Vulnerabilities (Linux)
File : nvt/gb_opera_extented_validation_info_disc_vuln_lin.nasl
2012-04-02Name : Fedora Update for firefox FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_firefox_fc16.nasl
2012-04-02Name : Fedora Update for nss-softokn FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_nss-softokn_fc16.nasl
2012-04-02Name : Fedora Update for nss-util FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_nss-util_fc16.nasl
2012-04-02Name : Fedora Update for thunderbird-lightning FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_thunderbird-lightning_fc16.nasl
2012-04-02Name : Fedora Update for thunderbird FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_thunderbird_fc16.nasl
2012-04-02Name : Fedora Update for xulrunner FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_xulrunner_fc16.nasl
2012-04-02Name : Fedora Update for java-1.7.0-openjdk FEDORA-2012-1690
File : nvt/gb_fedora_2012_1690_java-1.7.0-openjdk_fc16.nasl
2012-04-02Name : Fedora Update for java-1.6.0-openjdk FEDORA-2012-1711
File : nvt/gb_fedora_2012_1711_java-1.6.0-openjdk_fc16.nasl
2012-04-02Name : Fedora Update for java-1.6.0-openjdk FEDORA-2011-15020
File : nvt/gb_fedora_2011_15020_java-1.6.0-openjdk_fc16.nasl
2012-04-02Name : Fedora Update for curl FEDORA-2012-0894
File : nvt/gb_fedora_2012_0894_curl_fc16.nasl
2012-03-19Name : Fedora Update for nss FEDORA-2011-17400
File : nvt/gb_fedora_2011_17400_nss_fc16.nasl
2012-03-19Name : Fedora Update for java-1.7.0-openjdk FEDORA-2011-15555
File : nvt/gb_fedora_2011_15555_java-1.7.0-openjdk_fc16.nasl
2012-03-16Name : VMSA-2011-0003.2 Third party component updates for VMware vCenter Server, vCe...
File : nvt/gb_VMSA-2011-0003.nasl
2012-03-15Name : VMSA-2012-0001 VMware ESXi and ESX updates to third party library and ESX Ser...
File : nvt/gb_VMSA-2012-0001.nasl
2012-03-12Name : Gentoo Security Advisory GLSA 201203-02 (cURL)
File : nvt/glsa_201203_02.nasl
2012-03-09Name : Fedora Update for java-1.6.0-openjdk FEDORA-2012-1721
File : nvt/gb_fedora_2012_1721_java-1.6.0-openjdk_fc15.nasl
2012-02-13Name : Fedora Update for curl FEDORA-2012-0888
File : nvt/gb_fedora_2012_0888_curl_fc15.nasl
2012-02-12Name : Debian Security Advisory DSA 2398-1 (curl)
File : nvt/deb_2398_1.nasl
2012-02-12Name : Gentoo Security Advisory GLSA 201111-02 (sun-jre-bin sun-jdk emul-linux-x86-j...
File : nvt/glsa_201111_02.nasl
2012-02-11Name : Debian Security Advisory DSA 2356-1 (openjdk-6)
File : nvt/deb_2356_1.nasl
2012-02-11Name : Debian Security Advisory DSA 2358-1 (openjdk-6)
File : nvt/deb_2358_1.nasl
2012-02-11Name : Debian Security Advisory DSA 2368-1 (lighttpd)
File : nvt/deb_2368_1.nasl
2012-02-06Name : Mac OS X Multiple Vulnerabilities (2012-001)
File : nvt/gb_macosx_su12-001.nasl
2012-01-25Name : Ubuntu Update for openjdk-6 USN-1263-2
File : nvt/gb_ubuntu_USN_1263_2.nasl
2012-01-25Name : Ubuntu Update for curl USN-1346-1
File : nvt/gb_ubuntu_USN_1346_1.nasl
2012-01-23Name : Fedora Update for nss FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_nss_fc15.nasl
2012-01-23Name : Fedora Update for perl-Gtk2-MozEmbed FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_perl-Gtk2-MozEmbed_fc15.nasl
2012-01-23Name : Fedora Update for thunderbird-lightning FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_thunderbird-lightning_fc15.nasl
2012-01-23Name : Fedora Update for thunderbird FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_thunderbird_fc15.nasl
2012-01-23Name : Fedora Update for xulrunner FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_xulrunner_fc15.nasl
2012-01-23Name : Fedora Update for firefox FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_firefox_fc15.nasl
2012-01-23Name : Fedora Update for gnome-python2-extras FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_gnome-python2-extras_fc15.nasl
2012-01-23Name : Fedora Update for nspr FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_nspr_fc15.nasl
2012-01-23Name : Fedora Update for nss-softokn FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_nss-softokn_fc15.nasl
2012-01-23Name : Fedora Update for nss-util FEDORA-2011-17399
File : nvt/gb_fedora_2011_17399_nss-util_fc15.nasl
2012-01-11Name : Microsoft Windows SSL/TLS Information Disclosure Vulnerability (2643584)
File : nvt/secpod_ms12-006.nasl
2011-11-18Name : Ubuntu Update for icedtea-web USN-1263-1
File : nvt/gb_ubuntu_USN_1263_1.nasl
2011-11-14Name : Mandriva Update for java-1.6.0-openjdk MDVSA-2011:170 (java-1.6.0-openjdk)
File : nvt/gb_mandriva_MDVSA_2011_170.nasl
2011-10-21Name : RedHat Update for java-1.6.0-openjdk RHSA-2011:1380-01
File : nvt/gb_RHSA-2011_1380-01_java-1.6.0-openjdk.nasl
2011-10-21Name : CentOS Update for java CESA-2011:1380 centos5 i386
File : nvt/gb_CESA-2011_1380_java_centos5_i386.nasl
2011-10-21Name : Fedora Update for java-1.6.0-openjdk FEDORA-2011-14638
File : nvt/gb_fedora_2011_14638_java-1.6.0-openjdk_fc14.nasl
2011-10-21Name : Fedora Update for java-1.6.0-openjdk FEDORA-2011-14648
File : nvt/gb_fedora_2011_14648_java-1.6.0-openjdk_fc15.nasl
2011-09-09Name : Opera Extended Validation Information Disclosure Vulnerabilities (Mac OS X)
File : nvt/gb_opera_extented_validation_info_disc_vuln_macosx.nasl
2011-09-09Name : Opera Extended Validation Information Disclosure Vulnerabilities (Windows)
File : nvt/gb_opera_extented_validation_info_disc_vuln_win.nasl
2011-08-18Name : CentOS Update for curl CESA-2011:0918 centos4 i386
File : nvt/gb_CESA-2011_0918_curl_centos4_i386.nasl
2011-08-09Name : CentOS Update for curl CESA-2011:0918 centos5 i386
File : nvt/gb_CESA-2011_0918_curl_centos5_i386.nasl
2011-08-03Name : Debian Security Advisory DSA 2271-1 (curl)
File : nvt/deb_2271_1.nasl
2011-07-27Name : Mandriva Update for curl MDVSA-2011:116 (curl)
File : nvt/gb_mandriva_MDVSA_2011_116.nasl
2011-07-12Name : Fedora Update for curl FEDORA-2011-8586
File : nvt/gb_fedora_2011_8586_curl_fc15.nasl
2011-07-08Name : Fedora Update for curl FEDORA-2011-8640
File : nvt/gb_fedora_2011_8640_curl_fc14.nasl
2011-07-08Name : RedHat Update for curl RHSA-2011:0918-01
File : nvt/gb_RHSA-2011_0918-01_curl.nasl
2011-06-24Name : Ubuntu Update for curl USN-1158-1
File : nvt/gb_ubuntu_USN_1158_1.nasl
2010-04-21Name : FreeBSD Ports: curl
File : nvt/freebsd_curl3.nasl
2010-04-09Name : CentOS Update for curl CESA-2010:0329 centos3 i386
File : nvt/gb_CESA-2010_0329_curl_centos3_i386.nasl
2010-04-09Name : CentOS Update for curl CESA-2010:0329 centos4 i386
File : nvt/gb_CESA-2010_0329_curl_centos4_i386.nasl
2010-04-06Name : Debian Security Advisory DSA 2023-1 (curl)
File : nvt/deb_2023_1.nasl
2010-04-06Name : RedHat Update for curl RHSA-2010:0273-05
File : nvt/gb_RHSA-2010_0273-05_curl.nasl
2010-04-06Name : RedHat Update for curl RHSA-2010:0329-01
File : nvt/gb_RHSA-2010_0329-01_curl.nasl
2010-03-22Name : Mandriva Update for curl MDVSA-2010:062 (curl)
File : nvt/gb_mandriva_MDVSA_2010_062.nasl
2010-03-22Name : Fedora Update for curl FEDORA-2010-2720
File : nvt/gb_fedora_2010_2720_curl_fc11.nasl
2010-03-12Name : Fedora Update for curl FEDORA-2010-2762
File : nvt/gb_fedora_2010_2762_curl_fc12.nasl
2010-02-19Name : Mandriva Update for drakxtools MDVA-2010:062 (drakxtools)
File : nvt/gb_mandriva_MDVA_2010_062.nasl
2010-02-19Name : Mandriva Update for drakxtools MDVA-2010:062-1 (drakxtools)
File : nvt/gb_mandriva_MDVA_2010_062_1.nasl
0000-00-00Name : Java for Mac OS X 10.6 Update 6 And 10.7 Update 1
File : nvt/secpod_macosx_java_10_6_upd_6_and_10_7_upd_1.nasl
0000-00-00Name : FreeBSD Ports: opera, linux-opera
File : nvt/freebsd_opera25.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
78512cURL Multiple Protocol File Path URL Parsing Control Character Injection
74829SSL Chained Initialization Vector CBC Mode MiTM Weakness
73686libcurl http_negotiate.c Curl_input_negotiate Function GSSAPI Credential Dele...
73328cURL GSSAPI Client Credential Remote Disclosure
62217cURL / libcURL Compressed HTTP Content Registered Callback Overflow

Information Assurance Vulnerability Management (IAVM)

DateDescription
2014-02-27IAVM : 2014-A-0030 - Apple Mac OS X Security Update 2014-001
Severity : Category I - VMSKEY : V0044547
2013-10-17IAVM : 2013-A-0199 - Multiple Vulnerabilities in Oracle Fusion Middleware
Severity : Category I - VMSKEY : V0040786
2012-03-29IAVM : 2012-A-0048 - Multiple Vulnerabilities in VMware vCenter Update Manager 5.0
Severity : Category I - VMSKEY : V0031901
2012-02-02IAVM : 2012-A-0020 - Multiple Vulnerabilities in VMware ESX 4.1 and ESXi 4.1
Severity : Category I - VMSKEY : V0031252
2012-01-13IAVM : 2012-B-0006 - Microsoft SSL/TLS Information Disclosure Vulnerability
Severity : Category I - VMSKEY : V0031054
2011-05-12IAVM : 2011-A-0066 - Multiple Vulnerabilities in VMware Products
Severity : Category I - VMSKEY : V0027158

Snort® IPS/IDS

DateDescription
2014-01-10SSL CBC encryption mode weakness brute force attempt
RuleID : 20212 - Revision : 7 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

DateDescription
2014-11-17Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2011-1090.nasl - Type : ACT_GATHER_INFO
2014-11-12Name : The remote Fedora host is missing a security update.
File : fedora_2014-13777.nasl - Type : ACT_GATHER_INFO
2014-11-08Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1455.nasl - Type : ACT_GATHER_INFO
2014-11-07Name : The remote Fedora host is missing a security update.
File : fedora_2014-13764.nasl - Type : ACT_GATHER_INFO
2014-06-13Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-76.nasl - Type : ACT_GATHER_INFO
2014-06-13Name : The remote openSUSE host is missing a security update.
File : suse_11_4_curl-120124.nasl - Type : ACT_GATHER_INFO
2014-06-13Name : The remote openSUSE host is missing a security update.
File : suse_11_4_curl-120131.nasl - Type : ACT_GATHER_INFO
2014-04-16Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_9aecb94cc1ad11e3a5ac001b21614864.nasl - Type : ACT_GATHER_INFO
2014-02-25Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2014-001.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0329.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-0918.nasl - Type : ACT_GATHER_INFO
2012-09-20Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2012-004.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100330_curl_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100330_curl_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100330_curl_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20110705_curl_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2012-07-18Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1088.nasl - Type : ACT_GATHER_INFO
2012-07-18Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1089.nasl - Type : ACT_GATHER_INFO
2012-07-05Name : The remote web server is affected by multiple vulnerabilities.
File : hpsmh_7_1_1_1.nasl - Type : ACT_GATHER_INFO
2012-05-10Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_10_7_4.nasl - Type : ACT_GATHER_INFO
2012-04-24Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-0508.nasl - Type : ACT_GATHER_INFO
2012-04-20Name : The remote web server is affected by multiple vulnerabilities.
File : hpsmh_7_0_0_24.nasl - Type : ACT_GATHER_INFO
2012-04-16Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2012-058.nasl - Type : ACT_GATHER_INFO
2012-03-06Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201203-02.nasl - Type : ACT_GATHER_INFO
2012-02-13Name : The remote Fedora host is missing a security update.
File : fedora_2012-0888.nasl - Type : ACT_GATHER_INFO
2012-02-06Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_curl-7937.nasl - Type : ACT_GATHER_INFO
2012-02-02Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_10_7_3.nasl - Type : ACT_GATHER_INFO
2012-02-02Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_SecUpd2012-001.nasl - Type : ACT_GATHER_INFO
2012-01-31Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2398.nasl - Type : ACT_GATHER_INFO
2012-01-31Name : The remote VMware ESXi / ESX host is missing one or more security-related pat...
File : vmware_VMSA-2012-0001.nasl - Type : ACT_GATHER_INFO
2012-01-30Name : The remote Fedora host is missing a security update.
File : fedora_2012-0894.nasl - Type : ACT_GATHER_INFO
2012-01-25Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1346-1.nasl - Type : ACT_GATHER_INFO
2012-01-19Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-0034.nasl - Type : ACT_GATHER_INFO
2012-01-10Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-0006.nasl - Type : ACT_GATHER_INFO
2011-10-20Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-1384.nasl - Type : ACT_GATHER_INFO
2011-10-19Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-1380.nasl - Type : ACT_GATHER_INFO
2011-07-25Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2011-116.nasl - Type : ACT_GATHER_INFO
2011-07-06Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2011-0918.nasl - Type : ACT_GATHER_INFO
2011-07-06Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-0918.nasl - Type : ACT_GATHER_INFO
2011-07-05Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2271.nasl - Type : ACT_GATHER_INFO
2011-07-05Name : The remote Fedora host is missing a security update.
File : fedora_2011-8640.nasl - Type : ACT_GATHER_INFO
2011-06-27Name : The remote Fedora host is missing a security update.
File : fedora_2011-8586.nasl - Type : ACT_GATHER_INFO
2011-06-24Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1158-1.nasl - Type : ACT_GATHER_INFO
2011-02-14Name : The remote VMware ESXi / ESX host is missing one or more security-related pat...
File : vmware_VMSA-2011-0003.nasl - Type : ACT_GATHER_INFO
2010-10-04Name : The remote VMware ESX host is missing one or more security-related patches.
File : vmware_VMSA-2010-0015.nasl - Type : ACT_GATHER_INFO
2010-07-01Name : The remote Fedora host is missing a security update.
File : fedora_2010-2720.nasl - Type : ACT_GATHER_INFO
2010-07-01Name : The remote Fedora host is missing a security update.
File : fedora_2010-2762.nasl - Type : ACT_GATHER_INFO
2010-06-15Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_10_6_4.nasl - Type : ACT_GATHER_INFO
2010-06-15Name : The remote host is missing a Mac OS X update that fixes a security issue.
File : macosx_SecUpd2010-004.nasl - Type : ACT_GATHER_INFO
2010-05-11Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0273.nasl - Type : ACT_GATHER_INFO
2010-05-11Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0329.nasl - Type : ACT_GATHER_INFO
2010-04-20Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_c8c31c4149ed11df83fb0015587e2cc1.nasl - Type : ACT_GATHER_INFO
2010-04-09Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0329.nasl - Type : ACT_GATHER_INFO
2010-03-29Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2023.nasl - Type : ACT_GATHER_INFO
2010-03-22Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2010-062.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:37:13
  • Multiple Updates