ID CVE-2014-0138
Summary The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.
References
Vulnerable Configurations
  • Haxx Curl 7.10.6
    cpe:2.3:a:haxx:curl:7.10.6
  • Haxx Curl 7.10.7
    cpe:2.3:a:haxx:curl:7.10.7
  • Haxx Curl 7.10.8
    cpe:2.3:a:haxx:curl:7.10.8
  • Haxx Curl 7.11.0
    cpe:2.3:a:haxx:curl:7.11.0
  • Haxx Curl 7.11.1
    cpe:2.3:a:haxx:curl:7.11.1
  • Haxx Curl 7.11.2
    cpe:2.3:a:haxx:curl:7.11.2
  • Haxx Curl 7.12.0
    cpe:2.3:a:haxx:curl:7.12.0
  • Haxx Curl 7.12.1
    cpe:2.3:a:haxx:curl:7.12.1
  • Haxx Curl 7.12.2
    cpe:2.3:a:haxx:curl:7.12.2
  • Haxx Curl 7.12.3
    cpe:2.3:a:haxx:curl:7.12.3
  • Haxx Curl 7.13.0
    cpe:2.3:a:haxx:curl:7.13.0
  • Haxx Curl 7.13.1
    cpe:2.3:a:haxx:curl:7.13.1
  • Haxx Curl 7.13.2
    cpe:2.3:a:haxx:curl:7.13.2
  • Haxx Curl 7.14.0
    cpe:2.3:a:haxx:curl:7.14.0
  • Haxx Curl 7.14.1
    cpe:2.3:a:haxx:curl:7.14.1
  • Haxx Curl 7.15.0
    cpe:2.3:a:haxx:curl:7.15.0
  • Haxx Curl 7.15.1
    cpe:2.3:a:haxx:curl:7.15.1
  • Haxx Curl 7.15.2
    cpe:2.3:a:haxx:curl:7.15.2
  • Haxx Curl 7.15.3
    cpe:2.3:a:haxx:curl:7.15.3
  • Haxx Curl 7.15.4
    cpe:2.3:a:haxx:curl:7.15.4
  • Haxx Curl 7.15.5
    cpe:2.3:a:haxx:curl:7.15.5
  • Haxx Curl 7.16.0
    cpe:2.3:a:haxx:curl:7.16.0
  • Haxx Curl 7.16.1
    cpe:2.3:a:haxx:curl:7.16.1
  • Haxx Curl 7.16.2
    cpe:2.3:a:haxx:curl:7.16.2
  • Haxx Curl 7.16.3
    cpe:2.3:a:haxx:curl:7.16.3
  • Haxx Curl 7.16.4
    cpe:2.3:a:haxx:curl:7.16.4
  • Haxx Curl 7.17.0
    cpe:2.3:a:haxx:curl:7.17.0
  • Haxx Curl 7.17.1
    cpe:2.3:a:haxx:curl:7.17.1
  • Haxx Curl 7.18.0
    cpe:2.3:a:haxx:curl:7.18.0
  • Haxx Curl 7.18.1
    cpe:2.3:a:haxx:curl:7.18.1
  • Haxx Curl 7.18.2
    cpe:2.3:a:haxx:curl:7.18.2
  • Haxx Curl 7.19.0
    cpe:2.3:a:haxx:curl:7.19.0
  • Haxx Curl 7.19.1
    cpe:2.3:a:haxx:curl:7.19.1
  • Haxx Curl 7.19.2
    cpe:2.3:a:haxx:curl:7.19.2
  • Haxx Curl 7.19.3
    cpe:2.3:a:haxx:curl:7.19.3
  • Haxx Curl 7.19.4
    cpe:2.3:a:haxx:curl:7.19.4
  • Haxx Curl 7.19.5
    cpe:2.3:a:haxx:curl:7.19.5
  • Haxx Curl 7.19.6
    cpe:2.3:a:haxx:curl:7.19.6
  • Haxx Curl 7.19.7
    cpe:2.3:a:haxx:curl:7.19.7
  • Haxx Curl 7.20.0
    cpe:2.3:a:haxx:curl:7.20.0
  • Haxx Curl 7.20.1
    cpe:2.3:a:haxx:curl:7.20.1
  • Haxx Curl 7.21.0
    cpe:2.3:a:haxx:curl:7.21.0
  • Haxx Curl 7.21.1
    cpe:2.3:a:haxx:curl:7.21.1
  • Haxx Curl 7.21.2
    cpe:2.3:a:haxx:curl:7.21.2
  • Haxx Curl 7.21.3
    cpe:2.3:a:haxx:curl:7.21.3
  • Haxx Curl 7.21.4
    cpe:2.3:a:haxx:curl:7.21.4
  • Haxx Curl 7.21.5
    cpe:2.3:a:haxx:curl:7.21.5
  • Haxx Curl 7.21.6
    cpe:2.3:a:haxx:curl:7.21.6
  • Haxx Curl 7.21.7
    cpe:2.3:a:haxx:curl:7.21.7
  • Haxx Curl 7.22.0
    cpe:2.3:a:haxx:curl:7.22.0
  • Haxx Curl 7.23.0
    cpe:2.3:a:haxx:curl:7.23.0
  • Haxx Curl 7.23.1
    cpe:2.3:a:haxx:curl:7.23.1
  • Haxx Curl 7.24.0
    cpe:2.3:a:haxx:curl:7.24.0
  • Haxx Curl 7.25.0
    cpe:2.3:a:haxx:curl:7.25.0
  • Haxx Curl 7.26.0
    cpe:2.3:a:haxx:curl:7.26.0
  • Haxx Curl 7.27.0
    cpe:2.3:a:haxx:curl:7.27.0
  • Haxx Curl 7.28.0
    cpe:2.3:a:haxx:curl:7.28.0
  • Haxx Curl 7.28.1
    cpe:2.3:a:haxx:curl:7.28.1
  • Haxx Curl 7.29.0
    cpe:2.3:a:haxx:curl:7.29.0
  • Haxx Curl 7.30.0
    cpe:2.3:a:haxx:curl:7.30.0
  • Haxx Curl 7.31.0
    cpe:2.3:a:haxx:curl:7.31.0
  • Haxx Curl 7.32.0
    cpe:2.3:a:haxx:curl:7.32.0
  • Haxx Curl 7.33.0
    cpe:2.3:a:haxx:curl:7.33.0
  • Haxx Curl 7.34.0
    cpe:2.3:a:haxx:curl:7.34.0
  • Haxx Curl 7.35.0
    cpe:2.3:a:haxx:curl:7.35.0
  • Haxx libcurl 7.10.6
    cpe:2.3:a:haxx:libcurl:7.10.6
  • Haxx libcurl 7.10.7
    cpe:2.3:a:haxx:libcurl:7.10.7
  • Haxx libcurl 7.10.8
    cpe:2.3:a:haxx:libcurl:7.10.8
  • Haxx libcurl 7.11.0
    cpe:2.3:a:haxx:libcurl:7.11.0
  • Haxx libcurl 7.11.1
    cpe:2.3:a:haxx:libcurl:7.11.1
  • Haxx libcurl 7.11.2
    cpe:2.3:a:haxx:libcurl:7.11.2
  • Haxx libcurl 7.12.0
    cpe:2.3:a:haxx:libcurl:7.12.0
  • Haxx libcurl 7.12.1
    cpe:2.3:a:haxx:libcurl:7.12.1
  • Haxx libcurl 7.12.2
    cpe:2.3:a:haxx:libcurl:7.12.2
  • Haxx libcurl 7.12.3
    cpe:2.3:a:haxx:libcurl:7.12.3
  • Haxx libcurl 7.13.0
    cpe:2.3:a:haxx:libcurl:7.13.0
  • Haxx libcurl 7.13.1
    cpe:2.3:a:haxx:libcurl:7.13.1
  • Haxx libcurl 7.13.2
    cpe:2.3:a:haxx:libcurl:7.13.2
  • Haxx libcurl 7.14.0
    cpe:2.3:a:haxx:libcurl:7.14.0
  • Haxx libcurl 7.14.1
    cpe:2.3:a:haxx:libcurl:7.14.1
  • Haxx libcurl 7.15.0
    cpe:2.3:a:haxx:libcurl:7.15.0
  • Haxx libcurl 7.15.1
    cpe:2.3:a:haxx:libcurl:7.15.1
  • Haxx libcurl 7.15.2
    cpe:2.3:a:haxx:libcurl:7.15.2
  • Haxx libcurl 7.15.3
    cpe:2.3:a:haxx:libcurl:7.15.3
  • Haxx libcurl 7.15.4
    cpe:2.3:a:haxx:libcurl:7.15.4
  • Haxx libcurl 7.15.5
    cpe:2.3:a:haxx:libcurl:7.15.5
  • Haxx libcurl 7.16.0
    cpe:2.3:a:haxx:libcurl:7.16.0
  • Haxx libcurl 7.16.1
    cpe:2.3:a:haxx:libcurl:7.16.1
  • Haxx libcurl 7.16.2
    cpe:2.3:a:haxx:libcurl:7.16.2
  • Haxx libcurl 7.16.3
    cpe:2.3:a:haxx:libcurl:7.16.3
  • Haxx libcurl 7.16.4
    cpe:2.3:a:haxx:libcurl:7.16.4
  • Haxx libcurl 7.17.0
    cpe:2.3:a:haxx:libcurl:7.17.0
  • Haxx libcurl 7.17.1
    cpe:2.3:a:haxx:libcurl:7.17.1
  • Haxx libcurl 7.18.0
    cpe:2.3:a:haxx:libcurl:7.18.0
  • Haxx libcurl 7.18.1
    cpe:2.3:a:haxx:libcurl:7.18.1
  • Haxx libcurl 7.18.2
    cpe:2.3:a:haxx:libcurl:7.18.2
  • Haxx libcurl 7.19.0
    cpe:2.3:a:haxx:libcurl:7.19.0
  • Haxx libcurl 7.19.1
    cpe:2.3:a:haxx:libcurl:7.19.1
  • Haxx libcurl 7.19.2
    cpe:2.3:a:haxx:libcurl:7.19.2
  • Haxx libcurl 7.19.3
    cpe:2.3:a:haxx:libcurl:7.19.3
  • Haxx libcurl 7.19.4
    cpe:2.3:a:haxx:libcurl:7.19.4
  • Haxx libcurl 7.19.5
    cpe:2.3:a:haxx:libcurl:7.19.5
  • Haxx libcurl 7.19.6
    cpe:2.3:a:haxx:libcurl:7.19.6
  • Haxx libcurl 7.19.7
    cpe:2.3:a:haxx:libcurl:7.19.7
  • Haxx libcurl 7.20.0
    cpe:2.3:a:haxx:libcurl:7.20.0
  • Haxx libcurl 7.20.1
    cpe:2.3:a:haxx:libcurl:7.20.1
  • Haxx libcurl 7.21.0
    cpe:2.3:a:haxx:libcurl:7.21.0
  • Haxx libcurl 7.21.1
    cpe:2.3:a:haxx:libcurl:7.21.1
  • Haxx libcurl 7.21.2
    cpe:2.3:a:haxx:libcurl:7.21.2
  • Haxx libcurl 7.21.3
    cpe:2.3:a:haxx:libcurl:7.21.3
  • Haxx libcurl 7.21.4
    cpe:2.3:a:haxx:libcurl:7.21.4
  • Haxx libcurl 7.21.5
    cpe:2.3:a:haxx:libcurl:7.21.5
  • Haxx libcurl 7.21.6
    cpe:2.3:a:haxx:libcurl:7.21.6
  • Haxx libcurl 7.21.7
    cpe:2.3:a:haxx:libcurl:7.21.7
  • Haxx libcurl 7.22.0
    cpe:2.3:a:haxx:libcurl:7.22.0
  • Haxx libcurl 7.23.0
    cpe:2.3:a:haxx:libcurl:7.23.0
  • Haxx libcurl 7.23.1
    cpe:2.3:a:haxx:libcurl:7.23.1
  • Haxx libcurl 7.24.0
    cpe:2.3:a:haxx:libcurl:7.24.0
  • Haxx libcurl 7.25.0
    cpe:2.3:a:haxx:libcurl:7.25.0
  • Haxx libcurl 7.26.0
    cpe:2.3:a:haxx:libcurl:7.26.0
  • Haxx libcurl 7.27.0
    cpe:2.3:a:haxx:libcurl:7.27.0
  • Haxx libcurl 7.28.0
    cpe:2.3:a:haxx:libcurl:7.28.0
  • Haxx libcurl 7.28.1
    cpe:2.3:a:haxx:libcurl:7.28.1
  • Haxx libcurl 7.29.0
    cpe:2.3:a:haxx:libcurl:7.29.0
  • Haxx libcurl 7.30.0
    cpe:2.3:a:haxx:libcurl:7.30.0
  • Haxx libcurl 7.31.0
    cpe:2.3:a:haxx:libcurl:7.31.0
  • Haxx libcurl 7.32.0
    cpe:2.3:a:haxx:libcurl:7.32.0
  • Haxx libcurl 7.33.0
    cpe:2.3:a:haxx:libcurl:7.33.0
  • Haxx libcurl 7.34.0
    cpe:2.3:a:haxx:libcurl:7.34.0
  • Haxx libcurl 7.35.0
    cpe:2.3:a:haxx:libcurl:7.35.0
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
CVSS
Base: 6.4 (as of 06-04-2016 - 10:37)
Impact:
Exploitability:
CWE CWE-287
CAPEC
  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
nessus via4
  • NASL family Misc.
    NASL id VMWARE_ESXI_5_1_BUILD_2323236_REMOTE.NASL
    description The remote VMware ESXi host is version 5.1 prior to build 2323236. It is, therefore, affected by the following vulnerabilities in bundled third-party libraries : - Multiple vulnerabilities exist in the bundled Python library. (CVE-2011-3389, CVE-2012-0845, CVE-2012-0876, CVE-2012-1150, CVE-2013-1752, CVE-2013-4238) - Multiple vulnerabilities exist in the bundled GNU C Library (glibc). (CVE-2013-0242, CVE-2013-1914, CVE-2013-4332) - Multiple vulnerabilities exist in the bundled XML Parser library (libxml2). (CVE-2013-2877, CVE-2014-0191) - Multiple vulnerabilities exist in the bundled cURL library (libcurl). (CVE-2014-0015, CVE-2014-0138)
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 79862
    published 2014-12-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79862
    title ESXi 5.1 < Build 2323236 Third-Party Libraries Multiple Vulnerabilities (remote check) (BEAST)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-110.NASL
    description Updated curl packages fix security vulnerabilities : Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user (CVE-2014-0015). libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials (CVE-2014-0138). libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site (CVE-2014-0139).
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 74418
    published 2014-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74418
    title Mandriva Linux Security Advisory : curl (MDVSA-2014:110)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2167-1.NASL
    description Steve Holme discovered that libcurl incorrectly reused wrong connections when using protocols other than HTTP and FTP. This could lead to the use of unintended credentials, possibly exposing sensitive information. (CVE-2014-0138) Richard Moore discovered that libcurl incorrectly validated wildcard SSL certificates that contain literal IP addresses. An attacker could possibly exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2014-0139). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-01
    plugin id 73514
    published 2014-04-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73514
    title Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : curl vulnerabilities (USN-2167-1)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2014-0012.NASL
    description a. VMware vCSA cross-site scripting vulnerability VMware vCenter Server Appliance (vCSA) contains a vulnerability that may allow for Cross Site Scripting. Exploitation of this vulnerability in vCenter Server requires tricking a user to click on a malicious link or to open a malicious web page. VMware would like to thank Tanya Secker of Trustwave SpiderLabs for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3797 to this issue. b. vCenter Server certificate validation issue vCenter Server does not properly validate the presented certificate when establishing a connection to a CIM Server residing on an ESXi host. This may allow for a Man-in-the-middle attack against the CIM service. VMware would like to thank The Google Security Team for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-8371 to this issue. c. Update to ESXi libxml2 package libxml2 is updated to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-2877 and CVE-2014-0191 to these issues. d. Update to ESXi Curl package Curl is updated to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2014-0015 and CVE-2014-0138 to these issues. e. Update to ESXi Python package Python is updated to address multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2013-1752 and CVE-2013-4238 to these issues. f. vCenter and Update Manager, Oracle JRE 1.6 Update 81 Oracle has documented the CVE identifiers that are addressed in JRE 1.6.0 update 81 in the Oracle Java SE Critical Patch Update Advisory of July 2014. The References section provides a link to this advisory.
    last seen 2019-01-16
    modified 2019-01-02
    plugin id 79762
    published 2014-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79762
    title VMSA-2014-0012 : VMware vSphere product updates address security vulnerabilities
  • NASL family Misc.
    NASL id VMWARE_VCENTER_VMSA-2014-0012.NASL
    description The VMware vCenter Server installed on the remote host is version 5.0 prior to Update 3c, 5.1 prior to Update 3, or 5.5 prior to Update 2. It is, therefore, affected by multiple vulnerabilities in third party libraries : - Due to improper certificate validation when connecting to a CIM server on an ESXi host, an attacker can perform man-in-the-middle attacks. (CVE-2014-8371) - The bundled version of Oracle JRE is prior to 1.6.0_81 and thus is affected by multiple vulnerabilities. Note that this only affects version 5.1 and 5.0 of vCenter but is only fixed in 5.1 Update 3.
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 79865
    published 2014-12-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79865
    title VMware Security Updates for vCenter Server (VMSA-2014-0012)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2014-086-01.NASL
    description New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen 2019-01-16
    modified 2014-12-15
    plugin id 73247
    published 2014-03-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73247
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : curl (SSA:2014-086-01)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-4449.NASL
    description fix connection re-use when using different log-in credentials (CVE-2014-0138) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2015-10-19
    plugin id 73264
    published 2014-03-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73264
    title Fedora 19 : curl-7.29.0-17.fc19 (2014-4449)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2902.NASL
    description Two vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2014-0138 Steve Holme discovered that libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP. - CVE-2014-0139 Richard Moore from Westpoint Ltd. reported that libcurl does not behave compliant to RFC 2828 under certain conditions and incorrectly validates wildcard SSL certificates containing literal IP addresses.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 73486
    published 2014-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73486
    title Debian DSA-2902-1 : curl - security update
  • NASL family Web Servers
    NASL id HPSMH_7_2_6.NASL
    description According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is prior to 7.2.6. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several components and third-party libraries : - HP SMH (XSRF) - libcurl - OpenSSL
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 90251
    published 2016-03-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90251
    title HP System Management Homepage < 7.2.6 Multiple Vulnerabilities (FREAK)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-4436.NASL
    description fix connection re-use when using different log-in credentials (CVE-2014-0138) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2015-10-19
    plugin id 73263
    published 2014-03-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73263
    title Fedora 20 : curl-7.32.0-8.fc20 (2014-4436)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-322.NASL
    description The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015 .
    last seen 2019-01-16
    modified 2018-04-18
    plugin id 73650
    published 2014-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=73650
    title Amazon Linux AMI : curl (ALAS-2014-322)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-6921.NASL
    description - Update to 7.37.0 - Fixes CVE-2014-0138 and CVE-2014-0139 (RHBZ #1080880) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2015-10-19
    plugin id 74408
    published 2014-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74408
    title Fedora 19 : mingw-curl-7.37.0-1.fc19 (2014-6921)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-6912.NASL
    description - Update to 7.37.0 - Fixes CVE-2014-0138 and CVE-2014-0139 (RHBZ #1080880) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2015-10-19
    plugin id 74406
    published 2014-06-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74406
    title Fedora 20 : mingw-curl-7.37.0-1.fc20 (2014-6912)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-329.NASL
    description This curl update fixes two security issues : - bnc#868627: Fixed wrong re-use of connections (CVE-2014-0138). - bnc#868629: Fixed IP address wildcard certificate validation (CVE-2014-0139).
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 75339
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75339
    title openSUSE Security Update : curl (openSUSE-SU-2014:0598-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0107.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - require credentials to match for NTLM re-use (CVE-2015-3143) - close Negotiate connections when done (CVE-2015-3148) - reject CRLFs in URLs passed to proxy (CVE-2014-8150) - use only full matches for hosts used as IP address in cookies (CVE-2014-3613) - fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707) - fix manpage typos found using aspell (#1011101) - fix comments about loading CA certs with NSS in man pages (#1011083) - fix handling of DNS cache timeout while a transfer is in progress (#835898) - eliminate unnecessary inotify events on upload via file protocol (#883002) - use correct socket type in the examples (#997185) - do not crash if MD5 fingerprint is not provided by libssh2 (#1008178) - fix SIGSEGV of curl --retry when network is down (#1009455) - allow to use TLS 1.1 and TLS 1.2 (#1012136) - docs: update the links to cipher-suites supported by NSS (#1104160) - allow to use ECC ciphers if NSS implements them (#1058767) - make curl --trace-time print correct time (#1120196) - let tool call PR_Cleanup on exit if NSPR is used (#1146528) - ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth (#1154747) - allow to enable/disable new AES cipher-suites (#1156422) - include response headers added by proxy in CURLINFO_HEADER_SIZE (#1161163) - disable libcurl-level downgrade to SSLv3 (#1154059) - do not force connection close after failed HEAD request (#1168137) - fix occasional SIGSEGV during SSL handshake (#1168668) - fix a connection failure when FTPS handle is reused (#1154663) - fix re-use of wrong HTTP NTLM connection (CVE-2014-0015) - fix connection re-use when using different log-in credentials (CVE-2014-0138) - fix authentication failure when server offers multiple auth options (#799557) - refresh expired cookie in test172 from upstream test-suite (#1069271) - fix a memory leak caused by write after close (#1078562) - nss: implement non-blocking SSL handshake (#1083742)
    last seen 2019-01-16
    modified 2018-07-24
    plugin id 85148
    published 2015-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85148
    title OracleVM 3.3 : curl (OVMSA-2015-0107)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-0561.NASL
    description From Red Hat Security Advisory 2014:0561 : Updated curl packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. cURL provides the libcurl library and a command line tool for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that libcurl could incorrectly reuse existing connections for requests that should have used different or no authentication credentials, when using one of the following protocols: HTTP(S) with NTLM authentication, LDAP(S), SCP, or SFTP. If an application using the libcurl library connected to a remote server with certain authentication credentials, this flaw could cause other requests to use those same credentials. (CVE-2014-0015, CVE-2014-0138) Red Hat would like to thank the cURL project for reporting these issues. Upstream acknowledges Paras Sethia as the original reporter of CVE-2014-0015 and Yehezkel Horowitz for discovering the security impact of this issue, and Steve Holme as the original reporter of CVE-2014-0138. This update also fixes the following bugs : * Previously, the libcurl library was closing a network socket without first terminating the SSL connection using the socket. This resulted in a write after close and consequent leakage of memory dynamically allocated by the SSL library. An upstream patch has been applied on libcurl to fix this bug. As a result, the write after close no longer happens, and the SSL library no longer leaks memory. (BZ#1092479) * Previously, the libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on libcurl's multi API. To fix this bug, the non-blocking SSL handshake has been implemented by libcurl. With this update, libcurl's multi API immediately returns the control back to the application whenever it cannot read/write data from/to the underlying network socket. (BZ#1092480) * Previously, the curl package could not be rebuilt from sources due to an expired cookie in the upstream test-suite, which runs during the build. An upstream patch has been applied to postpone the expiration date of the cookie, which makes it possible to rebuild the package from sources again. (BZ#1092486) * Previously, the libcurl library attempted to authenticate using Kerberos whenever such an authentication method was offered by the server. This caused problems when the server offered multiple authentication methods and Kerberos was not the selected one. An upstream patch has been applied on libcurl to fix this bug. Now libcurl no longer uses Kerberos authentication if another authentication method is selected. (BZ#1096797) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running applications that use libcurl have to be restarted for this update to take effect.
    last seen 2019-01-16
    modified 2015-12-01
    plugin id 74203
    published 2014-05-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74203
    title Oracle Linux 6 : curl (ELSA-2014-0561)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20140527_CURL_ON_SL6_X.NASL
    description It was found that libcurl could incorrectly reuse existing connections for requests that should have used different or no authentication credentials, when using one of the following protocols: HTTP(S) with NTLM authentication, LDAP(S), SCP, or SFTP. If an application using the libcurl library connected to a remote server with certain authentication credentials, this flaw could cause other requests to use those same credentials. (CVE-2014-0015, CVE-2014-0138) This update also fixes the following bugs : - Previously, the libcurl library was closing a network socket without first terminating the SSL connection using the socket. This resulted in a write after close and consequent leakage of memory dynamically allocated by the SSL library. An upstream patch has been applied on libcurl to fix this bug. As a result, the write after close no longer happens, and the SSL library no longer leaks memory. - Previously, the libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on libcurl's multi API. To fix this bug, the non-blocking SSL handshake has been implemented by libcurl. With this update, libcurl's multi API immediately returns the control back to the application whenever it cannot read/write data from/to the underlying network socket. - Previously, the curl package could not be rebuilt from sources due to an expired cookie in the upstream test-suite, which runs during the build. An upstream patch has been applied to postpone the expiration date of the cookie, which makes it possible to rebuild the package from sources again. - Previously, the libcurl library attempted to authenticate using Kerberos whenever such an authentication method was offered by the server. This caused problems when the server offered multiple authentication methods and Kerberos was not the selected one. An upstream patch has been applied on libcurl to fix this bug. Now libcurl no longer uses Kerberos authentication if another authentication method is selected. All running applications that use libcurl have to be restarted for this update to take effect.
    last seen 2019-01-16
    modified 2018-12-28
    plugin id 74208
    published 2014-05-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74208
    title Scientific Linux Security Update : curl on SL6.x i386/x86_64
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-098.NASL
    description Updated curl packages fix security vulnerabilities : Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user (CVE-2014-0015). libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials (CVE-2014-0138). libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site (CVE-2014-0139). In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site (CVE-2014-3613). In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain (CVE-2014-3620). Symeon Paraschoudis discovered that the curl_easy_duphandle() function in cURL has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending, while performing a HTTP POST operation. This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be used in that order, and then the duplicate handle must be used to perform the HTTP POST. The curl command line tool is not affected by this problem as it does not use this sequence (CVE-2014-3707). When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those will be sent along to the proxy too, which allows the program to for example send a separate HTTP request injected embedded in the URL (CVE-2014-8150).
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 82351
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82351
    title Mandriva Linux Security Advisory : curl (MDVSA-2015:098)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-0561.NASL
    description Updated curl packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. cURL provides the libcurl library and a command line tool for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that libcurl could incorrectly reuse existing connections for requests that should have used different or no authentication credentials, when using one of the following protocols: HTTP(S) with NTLM authentication, LDAP(S), SCP, or SFTP. If an application using the libcurl library connected to a remote server with certain authentication credentials, this flaw could cause other requests to use those same credentials. (CVE-2014-0015, CVE-2014-0138) Red Hat would like to thank the cURL project for reporting these issues. Upstream acknowledges Paras Sethia as the original reporter of CVE-2014-0015 and Yehezkel Horowitz for discovering the security impact of this issue, and Steve Holme as the original reporter of CVE-2014-0138. This update also fixes the following bugs : * Previously, the libcurl library was closing a network socket without first terminating the SSL connection using the socket. This resulted in a write after close and consequent leakage of memory dynamically allocated by the SSL library. An upstream patch has been applied on libcurl to fix this bug. As a result, the write after close no longer happens, and the SSL library no longer leaks memory. (BZ#1092479) * Previously, the libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on libcurl's multi API. To fix this bug, the non-blocking SSL handshake has been implemented by libcurl. With this update, libcurl's multi API immediately returns the control back to the application whenever it cannot read/write data from/to the underlying network socket. (BZ#1092480) * Previously, the curl package could not be rebuilt from sources due to an expired cookie in the upstream test-suite, which runs during the build. An upstream patch has been applied to postpone the expiration date of the cookie, which makes it possible to rebuild the package from sources again. (BZ#1092486) * Previously, the libcurl library attempted to authenticate using Kerberos whenever such an authentication method was offered by the server. This caused problems when the server offered multiple authentication methods and Kerberos was not the selected one. An upstream patch has been applied on libcurl to fix this bug. Now libcurl no longer uses Kerberos authentication if another authentication method is selected. (BZ#1096797) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running applications that use libcurl have to be restarted for this update to take effect.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 74227
    published 2014-05-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74227
    title CentOS 6 : curl (CESA-2014:0561)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2014-0012_REMOTE.NASL
    description The remote VMware ESXi host is affected by multiple vulnerabilities : - Multiple denial of service vulnerabilities exist in Python function _read_status() in library httplib and in function readline() in libraries smtplib, ftplib, nntplib, imaplib, and poplib. A remote attacker can exploit these vulnerabilities to crash the module. (CVE-2013-1752) - A out-of-bounds read error exists in file parser.c in library libxml2 due to a failure to properly check the XML_PARSER_EOF state. An unauthenticated, remote attacker can exploit this, via a crafted document that abruptly ends, to cause a denial of service. (CVE-2013-2877) - A spoofing vulnerability exists in the Python SSL module in the ssl.match_hostname() function due to improper handling of the NULL character ('\0') in a domain name in the Subject Alternative Name field of an X.509 certificate. A man-in-the-middle attacker can exploit this, via a crafted certificate issued by a legitimate certification authority, to spoof arbitrary SSL servers. (CVE-2013-4238) - cURL and libcurl are affected by a flaw related to the re-use of NTLM connections whenever more than one authentication method is enabled. An unauthenticated, remote attacker can exploit this, via a crafted request, to connect and impersonate other users. (CVE-2014-0015) - The default configuration in cURL and libcurl reuses the SCP, SFTP, POP3, POP3S, IMAP, IMAPS, SMTP, SMTPS, LDAP, and LDAPS connections. An unauthenticated, remote attacker can exploit this, via a crafted request, to connect and impersonate other users. (CVE-2014-0138) - A flaw exists in the xmlParserHandlePEReference() function in file parser.c in libxml2 due to loading external entities regardless of entity substitution or validation being enabled. An unauthenticated, remote attacker can exploit this, via a crafted XML document, to exhaust resources, resulting in a denial of service. (CVE-2014-0191)
    last seen 2019-01-16
    modified 2018-08-06
    plugin id 87681
    published 2015-12-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87681
    title VMware ESXi Multiple Vulnerabilities (VMSA-2014-0012)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_CURL-140415.NASL
    description This curl update fixes the following security issues : - wrong re-use of connections. (CVE-2014-0138). (bnc#868627) - IP address wildcard certificate validation. (CVE-2014-0139). (bnc#868629) - --insecure option inappropriately enforcing security safeguard. (bnc#870444)
    last seen 2019-01-16
    modified 2014-12-15
    plugin id 74115
    published 2014-05-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74115
    title SuSE 11.3 Security Update : curl (SAT Patch Number 9133)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201406-21.NASL
    description The remote host is affected by the vulnerability described in GLSA-201406-21 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could cause a man-in-the-middle attack via a crafted certificate issued by a legitimate certification authority. Furthermore, a context-dependent attacker may be able to bypass security restrictions by connecting as other users. Workaround : There is no known workaround at this time.
    last seen 2019-01-16
    modified 2018-07-12
    plugin id 76180
    published 2014-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76180
    title GLSA-201406-21 : cURL: Multiple vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-0561.NASL
    description Updated curl packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. cURL provides the libcurl library and a command line tool for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that libcurl could incorrectly reuse existing connections for requests that should have used different or no authentication credentials, when using one of the following protocols: HTTP(S) with NTLM authentication, LDAP(S), SCP, or SFTP. If an application using the libcurl library connected to a remote server with certain authentication credentials, this flaw could cause other requests to use those same credentials. (CVE-2014-0015, CVE-2014-0138) Red Hat would like to thank the cURL project for reporting these issues. Upstream acknowledges Paras Sethia as the original reporter of CVE-2014-0015 and Yehezkel Horowitz for discovering the security impact of this issue, and Steve Holme as the original reporter of CVE-2014-0138. This update also fixes the following bugs : * Previously, the libcurl library was closing a network socket without first terminating the SSL connection using the socket. This resulted in a write after close and consequent leakage of memory dynamically allocated by the SSL library. An upstream patch has been applied on libcurl to fix this bug. As a result, the write after close no longer happens, and the SSL library no longer leaks memory. (BZ#1092479) * Previously, the libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on libcurl's multi API. To fix this bug, the non-blocking SSL handshake has been implemented by libcurl. With this update, libcurl's multi API immediately returns the control back to the application whenever it cannot read/write data from/to the underlying network socket. (BZ#1092480) * Previously, the curl package could not be rebuilt from sources due to an expired cookie in the upstream test-suite, which runs during the build. An upstream patch has been applied to postpone the expiration date of the cookie, which makes it possible to rebuild the package from sources again. (BZ#1092486) * Previously, the libcurl library attempted to authenticate using Kerberos whenever such an authentication method was offered by the server. This caused problems when the server offered multiple authentication methods and Kerberos was not the selected one. An upstream patch has been applied on libcurl to fix this bug. Now libcurl no longer uses Kerberos authentication if another authentication method is selected. (BZ#1096797) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. All running applications that use libcurl have to be restarted for this update to take effect.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 74205
    published 2014-05-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74205
    title RHEL 6 : curl (RHSA-2014:0561)
redhat via4
advisories
bugzilla
id 1096797
title RHEL-6 libcurl fails when using digest auth and have multiple auth options
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhsa:tst:20100842001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhsa:tst:20100842002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20100842003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20100842004
  • OR
    • AND
      • comment curl is earlier than 0:7.19.7-37.el6_5.3
        oval oval:com.redhat.rhsa:tst:20140561005
      • comment curl is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110918016
    • AND
      • comment libcurl is earlier than 0:7.19.7-37.el6_5.3
        oval oval:com.redhat.rhsa:tst:20140561007
      • comment libcurl is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110918020
    • AND
      • comment libcurl-devel is earlier than 0:7.19.7-37.el6_5.3
        oval oval:com.redhat.rhsa:tst:20140561009
      • comment libcurl-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110918018
rhsa
id RHSA-2014:0561
released 2014-05-27
severity Moderate
title RHSA-2014:0561: curl security and bug fix update (Moderate)
rpms
  • curl-0:7.19.7-37.el6_5.3
  • libcurl-0:7.19.7-37.el6_5.3
  • libcurl-devel-0:7.19.7-37.el6_5.3
refmap via4
bugtraq 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
confirm
debian DSA-2902
fulldisc 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
secunia
  • 57836
  • 57966
  • 57968
  • 58615
  • 59458
suse openSUSE-SU-2014:0530
ubuntu USN-2167-1
vmware via4
description Curl is updated to address multiple security issues.
id VMSA-2014-0012
last_updated 2015-09-16T00:00:00
published 2014-12-04T00:00:00
title Update to ESXi Curl package
workaround None
Last major update 06-01-2017 - 21:59
Published 15-04-2014 - 10:55
Last modified 09-10-2018 - 15:36
Back to Top