Executive Summary
Summary | |
---|---|
Title | curl security update |
Informations | |||
---|---|---|---|
Name | DSA-3069 | First vendor Publication | 2014-11-07 |
Vendor | Debian | Last vendor Modification | 2014-11-07 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Symeon Paraschoudis discovered that the curl_easy_duphandle() function in cURL, an URL transfer library, has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending, while performing a HTTP POST operation. This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be used in that order, and then the duplicate handle must be used to perform the HTTP POST. The curl command line tool is not affected by this problem as it does not use this sequence. For the stable distribution (wheezy), this problem has been fixed in version 7.26.0-1+wheezy11. For the upcoming stable distribution (jessie), this problem will be fixed in version 7.38.0-3. For the unstable distribution (sid), this problem has been fixed in version 7.38.0-3. We recommend that you upgrade your curl packages. |
Original Source
Url : http://www.debian.org/security/2014/dsa-3069 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-200 | Information Exposure |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:27332 | |||
Oval ID: | oval:org.mitre.oval:def:27332 | ||
Title: | DSA-3069-1 -- curl security update | ||
Description: | Symeon Paraschoudis discovered that the curl_easy_duphandle() function in cURL, an URL transfer library, has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending, while performing a HTTP POST operation. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-3069-1 CVE-2014-3707 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | curl |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28215 | |||
Oval ID: | oval:org.mitre.oval:def:28215 | ||
Title: | USN-2399-1 -- curl vulnerability | ||
Description: | Symeon Paraschoudis discovered that curl incorrectly handled memory when being used with CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle(). This may result in sensitive data being incorrectly sent to the remote server. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2399-1 CVE-2014-3707 | Version: | 5 |
Platform(s): | Ubuntu 14.10 Ubuntu 14.04 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | curl |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2015-08-20 | IAVM : 2015-A-0199 - Multiple Vulnerabilities in Apple Mac OS X Severity : Category I - VMSKEY : V0061337 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-12-22 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20151119_curl_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2015-12-02 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-2159.nasl - Type : ACT_GATHER_INFO |
2015-11-24 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-2159.nasl - Type : ACT_GATHER_INFO |
2015-11-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2159.nasl - Type : ACT_GATHER_INFO |
2015-08-17 | Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_10_10_5.nasl - Type : ACT_GATHER_INFO |
2015-08-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20150722_curl_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2015-07-31 | Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2015-0107.nasl - Type : ACT_GATHER_INFO |
2015-07-30 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-1254.nasl - Type : ACT_GATHER_INFO |
2015-07-28 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-1254.nasl - Type : ACT_GATHER_INFO |
2015-07-22 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-1254.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0083-1.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-098.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-84.nasl - Type : ACT_GATHER_INFO |
2015-02-13 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-477.nasl - Type : ACT_GATHER_INFO |
2015-02-11 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2015-125.nasl - Type : ACT_GATHER_INFO |
2015-02-02 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_curl-201501-150113.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_libcurl_20141216.nasl - Type : ACT_GATHER_INFO |
2015-01-05 | Name : The remote Fedora host is missing a security update. File : fedora_2014-16690.nasl - Type : ACT_GATHER_INFO |
2015-01-02 | Name : The remote Fedora host is missing a security update. File : fedora_2014-17601.nasl - Type : ACT_GATHER_INFO |
2015-01-02 | Name : The remote Fedora host is missing a security update. File : fedora_2014-17596.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote Fedora host is missing a security update. File : fedora_2014-16605.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote Fedora host is missing a security update. File : fedora_2014-16538.nasl - Type : ACT_GATHER_INFO |
2014-12-02 | Name : The remote Fedora host is missing a security update. File : fedora_2014-15706.nasl - Type : ACT_GATHER_INFO |
2014-11-19 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-213.nasl - Type : ACT_GATHER_INFO |
2014-11-11 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2399-1.nasl - Type : ACT_GATHER_INFO |
2014-11-11 | Name : The remote Fedora host is missing a security update. File : fedora_2014-14354.nasl - Type : ACT_GATHER_INFO |
2014-11-11 | Name : The remote Fedora host is missing a security update. File : fedora_2014-14338.nasl - Type : ACT_GATHER_INFO |
2014-11-10 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3069.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-11-17 17:29:10 |
|
2014-11-16 00:32:18 |
|
2014-11-11 13:25:59 |
|
2014-11-07 17:22:36 |
|