Debian: DSA-3232-1 Critical Curl Update: Authentication Issues
debian
April 22, 2015
Several vulnerabilities were discovered in cURL, an URL transfer library: CVE-2015-3143
Topics Covered
Summary
CVE-2015-3143
NTLM-authenticated connections could be wrongly reused for requests
without any credentials set, leading to HTTP requests being sent
over the connection authenticated as a different user. This is
similar to the issue fixed in DSA-2849-1.
CVE-2015-3144
When parsing URLs with a zero-length hostname (such as ""),
libcurl would try to read from an invalid memory address. This could
allow remote attackers to cause a denial of service (crash). This
issue only affects the upcoming stable (jessie) and unstable (sid)
distributions.
CVE-2015-3145
When parsing HTTP cookies, if the parsed cookie's "path" element
consists of a single double-quote, libcurl would try to write to an
invalid heap memory address. This could allow remote attackers to
cause a denial of service (crash). This issue only affects the
upcoming stable (jessie) and unstable (sid) distributions.
CVE-2015-3148
When doing HTTP requests using the Negotiate authentication method
...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: curl
CVE ID: CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!