Executive Summary
Summary | |
---|---|
Title | curl security update |
Informations | |||
---|---|---|---|
Name | DSA-4136 | First vendor Publication | 2018-03-14 |
Vendor | Debian | Last vendor Modification | 2018-03-14 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Multiple vulnerabilities were discovered in cURL, an URL transfer library. CVE-2018-1000120 Duy Phan Thanh discovered that curl could be fooled into writing a zero byte out of bounds when curl is told to work on an FTP URL with the setting to only issue a single CWD command, if the directory part of the URL contains a "%00" sequence. CVE-2018-1000121 Dario Weisser discovered that curl might dereference a near-NULL address when getting an LDAP URL due to the ldap_get_attribute_ber() fuction returning LDAP_SUCCESS and a NULL pointer. A malicious server might cause libcurl-using applications that allow LDAP URLs, or that allow redirects to LDAP URLs to crash. CVE-2018-1000122 OSS-fuzz, assisted by Max Dymond, discovered that curl could be tricked into copying data beyond the end of its heap based buffer when asked to transfer an RTSP URL. For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u10. For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u5. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl |
Original Source
Url : http://www.debian.org/security/2018/dsa-4136 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
33 % | CWE-787 | Out-of-bounds Write (CWE/SANS Top 25) |
33 % | CWE-476 | NULL Pointer Dereference |
33 % | CWE-125 | Out-of-bounds Read |
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2019-01-10 | Name : The remote Amazon Linux 2 host is missing a security update. File : al2_ALAS-2019-1139.nasl - Type : ACT_GATHER_INFO |
2019-01-03 | Name : The remote Fedora host is missing a security update. File : fedora_2018-bc65ab5014.nasl - Type : ACT_GATHER_INFO |
2018-11-16 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2018-3157.nasl - Type : ACT_GATHER_INFO |
2018-10-26 | Name : The remote EulerOS Virtualization host is missing multiple security updates. File : EulerOS_SA-2018-1330.nasl - Type : ACT_GATHER_INFO |
2018-08-17 | Name : The remote PhotonOS host is missing multiple security updates. File : PhotonOS_PHSA-2018-1_0-0124.nasl - Type : ACT_GATHER_INFO |
2018-07-03 | Name : The remote EulerOS host is missing multiple security updates. File : EulerOS_SA-2018-1203.nasl - Type : ACT_GATHER_INFO |
2018-05-02 | Name : The remote EulerOS host is missing multiple security updates. File : EulerOS_SA-2018-1109.nasl - Type : ACT_GATHER_INFO |
2018-05-02 | Name : The remote EulerOS host is missing multiple security updates. File : EulerOS_SA-2018-1110.nasl - Type : ACT_GATHER_INFO |
2018-04-20 | Name : The remote Amazon Linux 2 host is missing a security update. File : al2_ALAS-2018-995.nasl - Type : ACT_GATHER_INFO |
2018-04-20 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2018-995.nasl - Type : ACT_GATHER_INFO |
2018-04-10 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201804-04.nasl - Type : ACT_GATHER_INFO |
2018-03-21 | Name : The remote Fedora host is missing a security update. File : fedora_2018-66c96e0024.nasl - Type : ACT_GATHER_INFO |
2018-03-21 | Name : The remote Fedora host is missing a security update. File : fedora_2018-8877b4ccac.nasl - Type : ACT_GATHER_INFO |
2018-03-19 | Name : The remote Debian host is missing a security update. File : debian_DLA-1309.nasl - Type : ACT_GATHER_INFO |
2018-03-16 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2018-074-01.nasl - Type : ACT_GATHER_INFO |
2018-03-15 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-4136.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2018-04-09 17:21:01 |
|
2018-03-15 00:20:56 |
|
2018-03-15 00:18:25 |
|