Executive Summary

Summary
Title curl security update
Informations
Name DSA-2849 First vendor Publication 2014-01-31
Vendor Debian Last vendor Modification 2014-01-31
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:P/I:P/A:N)
Cvss Base Score 4 Attack Range Network
Cvss Impact Score 4.9 Attack Complexity High
Cvss Expoit Score 4.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Paras Sethia discovered that libcurl, a client-side URL transfer library, would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user.

For the oldstable distribution (squeeze), this problem has been fixed in version 7.21.0-2.1+squeeze7.

For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy8.

For the unstable distribution (sid), this problem has been fixed in version 7.35.0-1.

We recommend that you upgrade your curl packages.

Original Source

Url : http://www.debian.org/security/2014/dsa-2849

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-287 Improper Authentication

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:22209
 
Oval ID: oval:org.mitre.oval:def:22209
Title: USN-2097-1 -- curl vulnerability
Description: libcurl could be made to expose sensitive information.
Family: unix Class: patch
Reference(s): USN-2097-1
CVE-2014-0015
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22425
 
Oval ID: oval:org.mitre.oval:def:22425
Title: DSA-2849-1 curl - information disclosure
Description: Paras Sethia discovered that libcurl, a client-side URL transfer library, would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user.
Family: unix Class: patch
Reference(s): DSA-2849-1
CVE-2014-0015
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25350
 
Oval ID: oval:org.mitre.oval:def:25350
Title: SUSE-SU-2014:0171-1 -- Security update for curl
Description: This update fixes the re-use of wrong HTTP NTLM connections in libcurl. (CVE-2014-0015) Security Issue reference: * CVE-2014-0015 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 >
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0171-1
CVE-2014-0015
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25377
 
Oval ID: oval:org.mitre.oval:def:25377
Title: SUSE-SU-2014:0175-1 -- Security update for curl
Description: This update fixes the re-use of wrong HTTP NTLM connections in libcurl. (CVE-2014-0015) Security Issue reference: * CVE-2014-0015 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 >
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0175-1
CVE-2014-0015
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): curl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25393
 
Oval ID: oval:org.mitre.oval:def:25393
Title: SUSE-SU-2014:0175-2 -- Security update for curl
Description: This update fixes the re-use of wrong HTTP NTLM connections in libcurl. (CVE-2014-0015) Security Issue reference: * CVE-2014-0015 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 >
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0175-2
CVE-2014-0015
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): curl
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 64
Application 64

Information Assurance Vulnerability Management (IAVM)

Date Description
2014-12-11 IAVM : 2014-B-0161 - Multiple Vulnerabilities in VMware ESXi 5.1
Severity : Category I - VMSKEY : V0057717

Nessus® Vulnerability Scanner

Date Description
2017-04-06 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL16704.nasl - Type : ACT_GATHER_INFO
2016-03-29 Name : The remote web server is affected by multiple vulnerabilities.
File : hpsmh_7_2_6.nasl - Type : ACT_GATHER_INFO
2016-02-10 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2016-652.nasl - Type : ACT_GATHER_INFO
2015-12-30 Name : The remote VMware ESXi host is missing a security-related patch.
File : vmware_VMSA-2014-0012_remote.nasl - Type : ACT_GATHER_INFO
2015-07-31 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2015-0107.nasl - Type : ACT_GATHER_INFO
2015-04-30 Name : The remote Debian host is missing a security update.
File : debian_DLA-211.nasl - Type : ACT_GATHER_INFO
2015-04-23 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3232.nasl - Type : ACT_GATHER_INFO
2015-03-30 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-098.nasl - Type : ACT_GATHER_INFO
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_libcurl_20140415.nasl - Type : ACT_GATHER_INFO
2014-12-12 Name : The remote host has a virtualization management application installed that is...
File : vmware_vcenter_vmsa-2014-0012.nasl - Type : ACT_GATHER_INFO
2014-12-12 Name : The remote VMware ESXi 5.1 host is affected by multiple vulnerabilities.
File : vmware_esxi_5_1_build_2323236_remote.nasl - Type : ACT_GATHER_INFO
2014-12-06 Name : The remote VMware ESXi host is missing a security-related patch.
File : vmware_VMSA-2014-0012.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2014-0629.nasl - Type : ACT_GATHER_INFO
2014-07-01 Name : The remote host is missing a Mac OS X update that fixes a certificate validat...
File : macosx_10_9_4.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-149.nasl - Type : ACT_GATHER_INFO
2014-06-10 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-110.nasl - Type : ACT_GATHER_INFO
2014-05-29 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0561.nasl - Type : ACT_GATHER_INFO
2014-05-28 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140527_curl_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-05-28 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0561.nasl - Type : ACT_GATHER_INFO
2014-05-28 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-0561.nasl - Type : ACT_GATHER_INFO
2014-04-23 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-322.nasl - Type : ACT_GATHER_INFO
2014-03-02 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-295.nasl - Type : ACT_GATHER_INFO
2014-02-17 Name : The remote Fedora host is missing a security update.
File : fedora_2014-1864.nasl - Type : ACT_GATHER_INFO
2014-02-14 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2014-044-01.nasl - Type : ACT_GATHER_INFO
2014-02-04 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2097-1.nasl - Type : ACT_GATHER_INFO
2014-02-03 Name : The remote Fedora host is missing a security update.
File : fedora_2014-1876.nasl - Type : ACT_GATHER_INFO
2014-02-02 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2849.nasl - Type : ACT_GATHER_INFO
2014-02-02 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_curl-140118.nasl - Type : ACT_GATHER_INFO
2014-02-02 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_curl-140117.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2015-07-17 09:24:14
  • Multiple Updates
2015-05-01 13:28:28
  • Multiple Updates
2015-04-24 13:28:58
  • Multiple Updates
2014-02-17 11:32:31
  • Multiple Updates
2014-02-03 21:24:34
  • Multiple Updates
2014-02-02 13:22:15
  • Multiple Updates
2014-01-31 09:18:17
  • First insertion