Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Fedora: 22 Moderate Update for Curl Credential and Memory Issues

fedora
Calendar Grey June 24, 2015
Dist Fedora Esm H88
The recent update resolves concerns with curl in Fedora 22, boosting security measures by tackling significant credential vulnerabilities and risks related to memory leakage.
- implement public key pinning for NSS backend (#1195771) - fix lingering HTTP credentials in connection re-use (CVE-2015-3236) - prevent SMB from sending off unrelated memory cont...

Summary

curl is a command line tool for transferring data with URL syntax, supporting

FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,

SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP

uploading, HTTP form based upload, proxies, cookies, user+password

authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer

resume, proxy tunneling and a busload of other useful tricks.

Update Information:

- implement public key pinning for NSS backend (#1195771) - fix lingering HTTP credentials in connection re-use (CVE-2015-3236) - prevent SMB from sending off unrelated memory contents (CVE-2015-3237) - curl-config --libs now works on x86_64 without libcurl-devel.x86_64 (#1228363)

Topics%20covered

Topics Covered

security advisory Fedora curl credential leak memory exposure public key pinning HTTP fix

Change Log

* Wed Jun 17 2015 Kamil Dudka 7.40.0-5 - implement public key pinning for NSS backend (#1195771) * Wed Jun 17 2015 Kamil Dudka 7.40.0-4 - fix lingering HTTP credentials in connection re-use (CVE-2015-3236) - prevent SMB from sending off unrelated memory contents (CVE-2015-3237) - curl-config --libs now works on x86_64 without libcurl-devel.x86_64 (#1228363) - do not run flaky test-cases in %check

References


[ 1 ] Bug #1233814 - CVE-2015-3237 curl: SMB send off unrelated memory contents https://bugzilla.redhat.com/show_bug.cgi?id=1233814 [ 2 ] Bug #1233816 - CVE-2015-3236 curl: lingering HTTP credentials in connection re-use https://bugzilla.redhat.com/show_bug.cgi?id=1233816

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update curl' at the command line. For more information, refer to "Managing Software with yum", available at .

Severity
important
Lowest
Low
Medium
High
Critical

Name: curl
Product: Fedora 22
Version: 7.40.0
Release: 5.fc22
URL: https://curl.se/
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)

Topics%20covered

Topics Covered

security advisory Fedora curl credential leak memory exposure public key pinning HTTP fix

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here