ID CVE-2014-8150
Summary CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.
References
Vulnerable Configurations
  • Debian Linux 7.0
    cpe:2.3:o:debian:debian_linux:7.0
  • Haxx libcurl 6.0
    cpe:2.3:a:haxx:libcurl:6.0
  • Haxx libcurl 6.1
    cpe:2.3:a:haxx:libcurl:6.1
  • Haxx libcurl 6.1 beta
    cpe:2.3:a:haxx:libcurl:6.1:beta
  • Haxx libcurl 6.2
    cpe:2.3:a:haxx:libcurl:6.2
  • Haxx libcurl 6.3
    cpe:2.3:a:haxx:libcurl:6.3
  • Haxx libcurl 6.3.1
    cpe:2.3:a:haxx:libcurl:6.3.1
  • Haxx libcurl 6.4
    cpe:2.3:a:haxx:libcurl:6.4
  • Haxx libcurl 6.5
    cpe:2.3:a:haxx:libcurl:6.5
  • Haxx libcurl 6.5.1
    cpe:2.3:a:haxx:libcurl:6.5.1
  • Haxx libcurl 6.5.2
    cpe:2.3:a:haxx:libcurl:6.5.2
  • Haxx libcurl 7.1
    cpe:2.3:a:haxx:libcurl:7.1
  • Haxx libcurl 7.1.1
    cpe:2.3:a:haxx:libcurl:7.1.1
  • Haxx libcurl 7.2
    cpe:2.3:a:haxx:libcurl:7.2
  • Haxx libcurl 7.2.1
    cpe:2.3:a:haxx:libcurl:7.2.1
  • Haxx libcurl 7.3
    cpe:2.3:a:haxx:libcurl:7.3
  • Haxx libcurl 7.4
    cpe:2.3:a:haxx:libcurl:7.4
  • Haxx libcurl 7.4.1
    cpe:2.3:a:haxx:libcurl:7.4.1
  • Haxx libcurl 7.4.2
    cpe:2.3:a:haxx:libcurl:7.4.2
  • Haxx libcurl 7.5
    cpe:2.3:a:haxx:libcurl:7.5
  • Haxx libcurl 7.5.1
    cpe:2.3:a:haxx:libcurl:7.5.1
  • Haxx libcurl 7.5.2
    cpe:2.3:a:haxx:libcurl:7.5.2
  • Haxx libcurl 7.6
    cpe:2.3:a:haxx:libcurl:7.6
  • Haxx libcurl 7.6.1
    cpe:2.3:a:haxx:libcurl:7.6.1
  • Haxx libcurl 7.7
    cpe:2.3:a:haxx:libcurl:7.7
  • Haxx libcurl 7.7.1
    cpe:2.3:a:haxx:libcurl:7.7.1
  • Haxx libcurl 7.7.2
    cpe:2.3:a:haxx:libcurl:7.7.2
  • Haxx libcurl 7.7.3
    cpe:2.3:a:haxx:libcurl:7.7.3
  • Haxx libcurl 7.8
    cpe:2.3:a:haxx:libcurl:7.8
  • Haxx libcurl 7.8.1
    cpe:2.3:a:haxx:libcurl:7.8.1
  • Haxx libcurl 7.9
    cpe:2.3:a:haxx:libcurl:7.9
  • Haxx libcurl 7.9.1
    cpe:2.3:a:haxx:libcurl:7.9.1
  • Haxx libcurl 7.9.2
    cpe:2.3:a:haxx:libcurl:7.9.2
  • Haxx libcurl 7.9.3
    cpe:2.3:a:haxx:libcurl:7.9.3
  • Haxx libcurl 7.9.4
    cpe:2.3:a:haxx:libcurl:7.9.4
  • Haxx libcurl 7.9.5
    cpe:2.3:a:haxx:libcurl:7.9.5
  • Haxx libcurl 7.9.6
    cpe:2.3:a:haxx:libcurl:7.9.6
  • Haxx libcurl 7.9.7
    cpe:2.3:a:haxx:libcurl:7.9.7
  • Haxx libcurl 7.9.8
    cpe:2.3:a:haxx:libcurl:7.9.8
  • Haxx libcurl 7.10
    cpe:2.3:a:haxx:libcurl:7.10
  • Haxx libcurl 7.10.1
    cpe:2.3:a:haxx:libcurl:7.10.1
  • Haxx libcurl 7.10.2
    cpe:2.3:a:haxx:libcurl:7.10.2
  • Haxx libcurl 7.10.3
    cpe:2.3:a:haxx:libcurl:7.10.3
  • Haxx libcurl 7.10.4
    cpe:2.3:a:haxx:libcurl:7.10.4
  • Haxx libcurl 7.10.5
    cpe:2.3:a:haxx:libcurl:7.10.5
  • Haxx libcurl 7.10.6
    cpe:2.3:a:haxx:libcurl:7.10.6
  • Haxx libcurl 7.10.7
    cpe:2.3:a:haxx:libcurl:7.10.7
  • Haxx libcurl 7.10.8
    cpe:2.3:a:haxx:libcurl:7.10.8
  • Haxx libcurl 7.11.0
    cpe:2.3:a:haxx:libcurl:7.11.0
  • Haxx libcurl 7.11.1
    cpe:2.3:a:haxx:libcurl:7.11.1
  • Haxx libcurl 7.11.2
    cpe:2.3:a:haxx:libcurl:7.11.2
  • Haxx libcurl 7.12.0
    cpe:2.3:a:haxx:libcurl:7.12.0
  • Haxx libcurl 7.12.1
    cpe:2.3:a:haxx:libcurl:7.12.1
  • Haxx libcurl 7.12.2
    cpe:2.3:a:haxx:libcurl:7.12.2
  • Haxx libcurl 7.12.3
    cpe:2.3:a:haxx:libcurl:7.12.3
  • Haxx libcurl 7.13.0
    cpe:2.3:a:haxx:libcurl:7.13.0
  • Haxx libcurl 7.13.1
    cpe:2.3:a:haxx:libcurl:7.13.1
  • Haxx libcurl 7.13.2
    cpe:2.3:a:haxx:libcurl:7.13.2
  • Haxx libcurl 7.14.0
    cpe:2.3:a:haxx:libcurl:7.14.0
  • Haxx libcurl 7.14.1
    cpe:2.3:a:haxx:libcurl:7.14.1
  • Haxx libcurl 7.15.0
    cpe:2.3:a:haxx:libcurl:7.15.0
  • Haxx libcurl 7.15.1
    cpe:2.3:a:haxx:libcurl:7.15.1
  • Haxx libcurl 7.15.2
    cpe:2.3:a:haxx:libcurl:7.15.2
  • Haxx libcurl 7.15.3
    cpe:2.3:a:haxx:libcurl:7.15.3
  • Haxx libcurl 7.15.4
    cpe:2.3:a:haxx:libcurl:7.15.4
  • Haxx libcurl 7.15.5
    cpe:2.3:a:haxx:libcurl:7.15.5
  • Haxx libcurl 7.16.0
    cpe:2.3:a:haxx:libcurl:7.16.0
  • Haxx libcurl 7.16.1
    cpe:2.3:a:haxx:libcurl:7.16.1
  • Haxx libcurl 7.16.2
    cpe:2.3:a:haxx:libcurl:7.16.2
  • Haxx libcurl 7.16.3
    cpe:2.3:a:haxx:libcurl:7.16.3
  • Haxx libcurl 7.16.4
    cpe:2.3:a:haxx:libcurl:7.16.4
  • Haxx libcurl 7.17.0
    cpe:2.3:a:haxx:libcurl:7.17.0
  • Haxx libcurl 7.17.1
    cpe:2.3:a:haxx:libcurl:7.17.1
  • Haxx libcurl 7.18.0
    cpe:2.3:a:haxx:libcurl:7.18.0
  • Haxx libcurl 7.18.1
    cpe:2.3:a:haxx:libcurl:7.18.1
  • Haxx libcurl 7.18.2
    cpe:2.3:a:haxx:libcurl:7.18.2
  • Haxx libcurl 7.19.0
    cpe:2.3:a:haxx:libcurl:7.19.0
  • Haxx libcurl 7.19.1
    cpe:2.3:a:haxx:libcurl:7.19.1
  • Haxx libcurl 7.19.2
    cpe:2.3:a:haxx:libcurl:7.19.2
  • Haxx libcurl 7.19.3
    cpe:2.3:a:haxx:libcurl:7.19.3
  • Haxx libcurl 7.19.4
    cpe:2.3:a:haxx:libcurl:7.19.4
  • Haxx libcurl 7.19.5
    cpe:2.3:a:haxx:libcurl:7.19.5
  • Haxx libcurl 7.19.6
    cpe:2.3:a:haxx:libcurl:7.19.6
  • Haxx libcurl 7.19.7
    cpe:2.3:a:haxx:libcurl:7.19.7
  • Haxx libcurl 7.20.0
    cpe:2.3:a:haxx:libcurl:7.20.0
  • Haxx libcurl 7.20.1
    cpe:2.3:a:haxx:libcurl:7.20.1
  • Haxx libcurl 7.21.0
    cpe:2.3:a:haxx:libcurl:7.21.0
  • Haxx libcurl 7.21.1
    cpe:2.3:a:haxx:libcurl:7.21.1
  • Haxx libcurl 7.21.2
    cpe:2.3:a:haxx:libcurl:7.21.2
  • Haxx libcurl 7.21.3
    cpe:2.3:a:haxx:libcurl:7.21.3
  • Haxx libcurl 7.21.4
    cpe:2.3:a:haxx:libcurl:7.21.4
  • Haxx libcurl 7.21.5
    cpe:2.3:a:haxx:libcurl:7.21.5
  • Haxx libcurl 7.21.6
    cpe:2.3:a:haxx:libcurl:7.21.6
  • Haxx libcurl 7.21.7
    cpe:2.3:a:haxx:libcurl:7.21.7
  • Haxx libcurl 7.22.0
    cpe:2.3:a:haxx:libcurl:7.22.0
  • Haxx libcurl 7.23.0
    cpe:2.3:a:haxx:libcurl:7.23.0
  • Haxx libcurl 7.23.1
    cpe:2.3:a:haxx:libcurl:7.23.1
  • Haxx libcurl 7.24.0
    cpe:2.3:a:haxx:libcurl:7.24.0
  • Haxx libcurl 7.25.0
    cpe:2.3:a:haxx:libcurl:7.25.0
  • Haxx libcurl 7.26.0
    cpe:2.3:a:haxx:libcurl:7.26.0
  • Haxx libcurl 7.27.0
    cpe:2.3:a:haxx:libcurl:7.27.0
  • Haxx libcurl 7.28.0
    cpe:2.3:a:haxx:libcurl:7.28.0
  • Haxx libcurl 7.28.1
    cpe:2.3:a:haxx:libcurl:7.28.1
  • Haxx libcurl 7.29.0
    cpe:2.3:a:haxx:libcurl:7.29.0
  • Haxx libcurl 7.30.0
    cpe:2.3:a:haxx:libcurl:7.30.0
  • Haxx libcurl 7.31.0
    cpe:2.3:a:haxx:libcurl:7.31.0
  • Haxx libcurl 7.32.0
    cpe:2.3:a:haxx:libcurl:7.32.0
  • Haxx libcurl 7.33.0
    cpe:2.3:a:haxx:libcurl:7.33.0
  • Haxx libcurl 7.34.0
    cpe:2.3:a:haxx:libcurl:7.34.0
  • Haxx libcurl 7.35.0
    cpe:2.3:a:haxx:libcurl:7.35.0
  • Haxx libcurl 7.36.0
    cpe:2.3:a:haxx:libcurl:7.36.0
  • Haxx libcurl 7.37.0
    cpe:2.3:a:haxx:libcurl:7.37.0
  • Haxx libcurl 7.37.1
    cpe:2.3:a:haxx:libcurl:7.37.1
  • Haxx libcurl 7.38.0
    cpe:2.3:a:haxx:libcurl:7.38.0
  • Haxx libcurl 7.39
    cpe:2.3:a:haxx:libcurl:7.39
  • Canonical Ubuntu Linux 10.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:10.04:-:-:-:lts
  • Canonical Ubuntu Linux 12.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 14.10
    cpe:2.3:o:canonical:ubuntu_linux:14.10
CVSS
Base: 4.3 (as of 27-02-2015 - 14:35)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-021.NASL
    description Updated curl packages fix security vulnerability : When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those will be sent along to the proxy too, which allows the program to for example send a separate HTTP request injected embedded in the URL (CVE-2014-8150).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 80467
    published 2015-01-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80467
    title Mandriva Linux Security Advisory : curl (MDVSA-2015:021)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-0415.NASL
    description - reject CRLFs in URLs passed to proxy (CVE-2014-8150) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 80449
    published 2015-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80449
    title Fedora 21 : curl-7.37.0-12.fc21 (2015-0415)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-0418.NASL
    description - reject CRLFs in URLs passed to proxy (CVE-2014-8150) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 80450
    published 2015-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80450
    title Fedora 20 : curl-7.32.0-18.fc20 (2015-0418)
  • NASL family Misc.
    NASL id ASTERISK_AST_2015_002.NASL
    description According to its SIP banner, the version of Asterisk running on the remote host is potentially affected by an HTTP request injection vulnerability due to a flaw within the included libcURL library in the 'parseurlandfillconn' function when handling line feeds and carriage returns. A remote attacker, using a specially crafted request, could exploit this to inject unauthorized HTTP requests containing malicious data or request headers. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-06-27
    plugin id 81257
    published 2015-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81257
    title Asterisk libcURL HTTP Request Injection (AST-2015-002)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_CAA98FFD0A9240D0B234FD79B429157E.NASL
    description cURL reports : When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those will be sent along to the proxy too, which allows the program to for example send a separate HTTP request injected embedded in the URL. Many programs allow some kind of external sources to set the URL or provide partial pieces for the URL to ask for, and if the URL as received from the user is not stripped good enough this flaw allows malicious users to do additional requests in a way that was not intended, or just to insert request headers into the request that the program didn't intend. We are not aware of any exploit of this flaw.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 80453
    published 2015-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80453
    title FreeBSD : cURL -- URL request injection vulnerability (caa98ffd-0a92-40d0-b234-fd79b429157e)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2474-1.NASL
    description Andrey Labunets discovered that curl incorrectly handled certain URLs when using a proxy server. If a user or automated system were tricked into using a specially crafted URL, an attacker could possibly use this issue to inject arbitrary HTTP requests. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 80826
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80826
    title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : curl vulnerability (USN-2474-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-134.NASL
    description Andrey Labunets of Facebook discovered that cURL, an URL transfer library, fails to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl to access a specially crafted URL via an HTTP proxy could use this flaw to do additional requests in a way that was not intended, or insert additional request headers into the request. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 82117
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82117
    title Debian DLA-134-1 : curl security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3122.NASL
    description Andrey Labunets of Facebook discovered that cURL, an URL transfer library, fails to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl to access a specially crafted URL via an HTTP proxy could use this flaw to do additional requests in a way that was not intended, or insert additional request headers into the request.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 80421
    published 2015-01-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80421
    title Debian DSA-3122-1 : curl - security update
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_10_5.NASL
    description The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.5. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - apache_mod_php - Apple ID OD Plug-in - AppleGraphicsControl - Bluetooth - bootp - CloudKit - CoreMedia Playback - CoreText - curl - Data Detectors Engine - Date & Time pref pane - Dictionary Application - DiskImages - dyld - FontParser - groff - ImageIO - Install Framework Legacy - IOFireWireFamily - IOGraphics - IOHIDFamily - Kernel - Libc - Libinfo - libpthread - libxml2 - libxpc - mail_cmds - Notification Center OSX - ntfs - OpenSSH - OpenSSL - perl - PostgreSQL - python - QL Office - Quartz Composer Framework - Quick Look - QuickTime 7 - SceneKit - Security - SMBClient - Speech UI - sudo - tcpdump - Text Formats - udf Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 85408
    published 2015-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85408
    title Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0107.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - require credentials to match for NTLM re-use (CVE-2015-3143) - close Negotiate connections when done (CVE-2015-3148) - reject CRLFs in URLs passed to proxy (CVE-2014-8150) - use only full matches for hosts used as IP address in cookies (CVE-2014-3613) - fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707) - fix manpage typos found using aspell (#1011101) - fix comments about loading CA certs with NSS in man pages (#1011083) - fix handling of DNS cache timeout while a transfer is in progress (#835898) - eliminate unnecessary inotify events on upload via file protocol (#883002) - use correct socket type in the examples (#997185) - do not crash if MD5 fingerprint is not provided by libssh2 (#1008178) - fix SIGSEGV of curl --retry when network is down (#1009455) - allow to use TLS 1.1 and TLS 1.2 (#1012136) - docs: update the links to cipher-suites supported by NSS (#1104160) - allow to use ECC ciphers if NSS implements them (#1058767) - make curl --trace-time print correct time (#1120196) - let tool call PR_Cleanup on exit if NSPR is used (#1146528) - ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth (#1154747) - allow to enable/disable new AES cipher-suites (#1156422) - include response headers added by proxy in CURLINFO_HEADER_SIZE (#1161163) - disable libcurl-level downgrade to SSLv3 (#1154059) - do not force connection close after failed HEAD request (#1168137) - fix occasional SIGSEGV during SSL handshake (#1168668) - fix a connection failure when FTPS handle is reused (#1154663) - fix re-use of wrong HTTP NTLM connection (CVE-2014-0015) - fix connection re-use when using different log-in credentials (CVE-2014-0138) - fix authentication failure when server offers multiple auth options (#799557) - refresh expired cookie in test172 from upstream test-suite (#1069271) - fix a memory leak caused by write after close (#1078562) - nss: implement non-blocking SSL handshake (#1083742)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 85148
    published 2015-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85148
    title OracleVM 3.3 : curl (OVMSA-2015-0107)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_CURL-201501-150113.NASL
    description This update fixes the following security issues : - URL request injection (bnc#911363) When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off. (CVE-2014-8150) If the given URL contains line feeds and carriage returns those will be sent along to the proxy too, which allows the program to for example send a separate HTTP request injected embedded in the URL. - duphandle read out of bounds. (bnc#901924). (CVE-2014-3707) - libcurl cookie leaks (bnc#894575) Additional bug fixed:. (CVE-2014-3613) - curl_multi_remove_handle: don't crash on multiple removes (bnc#897816)
    last seen 2019-02-21
    modified 2015-02-02
    plugin id 81121
    published 2015-02-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81121
    title SuSE 11.3 Security Update : curl (SAT Patch Number 10166)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-477.NASL
    description The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information. (CVE-2014-3707) CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL. (CVE-2014-8150)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 81323
    published 2015-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81323
    title Amazon Linux AMI : curl (ALAS-2015-477)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-125.NASL
    description was updated to version 7.40.0 to fix two security issues. These security issues were fixed : - CVE-2014-8150: CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allowed remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL (bnc#911363). - CVE-2014-3707: The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, did not properly copy HTTP POST data for an easy handle, which triggered an out-of-bounds read that allowed remote web servers to read sensitive memory information (bnc#901924). These non-security issues were fixed : - http_digest: Added support for Windows SSPI based authentication - version info: Added Kerberos V5 to the supported features - Makefile: Added VC targets for WinIDN - SSL: Add PEM format support for public key pinning - smtp: Added support for the conversion of Unix newlines during mail send - smb: Added initial support for the SMB/CIFS protocol - Added support for HTTP over unix domain sockets, - via CURLOPT_UNIX_SOCKET_PATH and --unix-socket - sasl: Added support for GSS-API based Kerberos V5 authentication
    last seen 2019-02-21
    modified 2015-03-11
    plugin id 81287
    published 2015-02-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81287
    title openSUSE Security Update : curl (openSUSE-2015-125)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-098.NASL
    description Updated curl packages fix security vulnerabilities : Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user (CVE-2014-0015). libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials (CVE-2014-0138). libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site (CVE-2014-0139). In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site (CVE-2014-3613). In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain (CVE-2014-3620). Symeon Paraschoudis discovered that the curl_easy_duphandle() function in cURL has a bug that can lead to libcurl eventually sending off sensitive data that was not intended for sending, while performing a HTTP POST operation. This bug requires CURLOPT_COPYPOSTFIELDS and curl_easy_duphandle() to be used in that order, and then the duplicate handle must be used to perform the HTTP POST. The curl command line tool is not affected by this problem as it does not use this sequence (CVE-2014-3707). When libcurl sends a request to a server via a HTTP proxy, it copies the entire URL into the request and sends if off. If the given URL contains line feeds and carriage returns those will be sent along to the proxy too, which allows the program to for example send a separate HTTP request injected embedded in the URL (CVE-2014-8150).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 82351
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82351
    title Mandriva Linux Security Advisory : curl (MDVSA-2015:098)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0083-1.NASL
    description This update fixes the following security issues - CVE-2014-8150: URL request injection vulnerability (bnc#911363) - CVE-2014-3707: duphandle read out of bounds (bnc#901924) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 83668
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83668
    title SUSE SLED12 / SLES12 Security Update : curl (SUSE-SU-2015:0083-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1254.NASL
    description Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. (CVE-2014-3613) A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory. (CVE-2014-3707) It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl to access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests. (CVE-2014-8150) It was discovered that libcurl implemented aspects of the NTLM and Negotiate authentication incorrectly. If an application uses libcurl and the affected mechanisms in a specific way, certain requests to a previously NTLM-authenticated server could appears as sent by the wrong authenticated user. Additionally, the initial set of credentials for HTTP Negotiate-authenticated requests could be reused in subsequent requests, although a different set of credentials was specified. (CVE-2015-3143, CVE-2015-3148) Red Hat would like to thank the cURL project for reporting these issues. Bug fixes : * An out-of-protocol fallback to SSL version 3.0 (SSLv3.0) was available with libcurl. Attackers could abuse the fallback to force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this functionality can explicitly enable SSLv3.0 through the libcurl API. (BZ#1154059) * A single upload transfer through the FILE protocol opened the destination file twice. If the inotify kernel subsystem monitored the file, two events were produced unnecessarily. The file is now opened only once per upload. (BZ#883002) * Utilities using libcurl for SCP/SFTP transfers could terminate unexpectedly when the system was running in FIPS mode. (BZ#1008178) * Using the '--retry' option with the curl utility could cause curl to terminate unexpectedly with a segmentation fault. Now, adding '--retry' no longer causes curl to crash. (BZ#1009455) * The 'curl --trace-time' command did not use the correct local time when printing timestamps. Now, 'curl --trace-time' works as expected. (BZ#1120196) * The valgrind utility could report dynamically allocated memory leaks on curl exit. Now, curl performs a global shutdown of the NetScape Portable Runtime (NSPR) library on exit, and valgrind no longer reports the memory leaks. (BZ#1146528) * Previously, libcurl returned an incorrect value of the CURLINFO_HEADER_SIZE field when a proxy server appended its own headers to the HTTP response. Now, the returned value is valid. (BZ#1161163) Enhancements : * The '--tlsv1.0', '--tlsv1.1', and '--tlsv1.2' options are available for specifying the minor version of the TLS protocol to be negotiated by NSS. The '--tlsv1' option now negotiates the highest version of the TLS protocol supported by both the client and the server. (BZ#1012136) * It is now possible to explicitly enable or disable the ECC and the new AES cipher suites to be used for TLS. (BZ#1058767, BZ#1156422) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84912
    published 2015-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84912
    title RHEL 6 : curl (RHSA-2015:1254)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2159.NASL
    description Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. (CVE-2014-3613) A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory. (CVE-2014-3707) It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests. (CVE-2014-8150) It was discovered that libcurl implemented aspects of the NTLM and Negotiate authentication incorrectly. If an application uses libcurl and the affected mechanisms in a specific way, certain requests to a previously NTLM-authenticated server could appears as sent by the wrong authenticated user. Additionally, the initial set of credentials for HTTP Negotiate-authenticated requests could be reused in subsequent requests, although a different set of credentials was specified. (CVE-2015-3143, CVE-2015-3148) Red Hat would like to thank the cURL project for reporting these issues. Bug fixes : * An out-of-protocol fallback to SSL 3.0 was available with libcurl. Attackers could abuse the fallback to force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this functionality can explicitly enable SSL 3.0 through the libcurl API. (BZ#1154060) * TLS 1.1 and TLS 1.2 are no longer disabled by default in libcurl. You can explicitly disable them through the libcurl API. (BZ#1170339) * FTP operations such as downloading files took a significantly long time to complete. Now, the FTP implementation in libcurl correctly sets blocking direction and estimated timeout for connections, resulting in faster FTP transfers. (BZ#1218272) Enhancements : * With the updated packages, it is possible to explicitly enable or disable new Advanced Encryption Standard (AES) cipher suites to be used for the TLS protocol. (BZ#1066065) * The libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on the libcurl multi API. The non-blocking SSL handshake has been implemented in libcurl, and the libcurl multi API now immediately returns the control back to the application whenever it cannot read or write data from or to the underlying network socket. (BZ#1091429) * The libcurl library used an unnecessarily long blocking delay for actions with no active file descriptors, even for short operations. Some actions, such as resolving a host name using /etc/hosts, took a long time to complete. The blocking code in libcurl has been modified so that the initial delay is short and gradually increases until an event occurs. (BZ#1130239) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86934
    published 2015-11-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86934
    title RHEL 7 : curl (RHSA-2015:2159)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150722_CURL_ON_SL6_X.NASL
    description It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. (CVE-2014-3613) A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory. (CVE-2014-3707) It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl to access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests. (CVE-2014-8150) It was discovered that libcurl implemented aspects of the NTLM and Negotatiate authentication incorrectly. If an application uses libcurl and the affected mechanisms in a specifc way, certain requests to a previously NTLM-authenticated server could appears as sent by the wrong authenticated user. Additionally, the initial set of credentials for HTTP Negotiate- authenticated requests could be reused in subsequent requests, although a different set of credentials was specified. (CVE-2015-3143, CVE-2015-3148) Bug fixes : - An out-of-protocol fallback to SSL version 3.0 (SSLv3.0) was available with libcurl. Attackers could abuse the fallback to force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this functionality can explicitly enable SSLv3.0 through the libcurl API. - A single upload transfer through the FILE protocol opened the destination file twice. If the inotify kernel subsystem monitored the file, two events were produced unnecessarily. The file is now opened only once per upload. - Utilities using libcurl for SCP/SFTP transfers could terminate unexpectedly when the system was running in FIPS mode. - Using the '--retry' option with the curl utility could cause curl to terminate unexpectedly with a segmentation fault. Now, adding '--retry' no longer causes curl to crash. - The 'curl --trace-time' command did not use the correct local time when printing timestamps. Now, 'curl --trace-time' works as expected. - The valgrind utility could report dynamically allocated memory leaks on curl exit. Now, curl performs a global shutdown of the NetScape Portable Runtime (NSPR) library on exit, and valgrind no longer reports the memory leaks. - Previously, libcurl returned an incorrect value of the CURLINFO_HEADER_SIZE field when a proxy server appended its own headers to the HTTP response. Now, the returned value is valid. Enhancements : - The '--tlsv1.0', '--tlsv1.1', and '--tlsv1.2' options are available for specifying the minor version of the TLS protocol to be negotiated by NSS. The '--tlsv1' option now negotiates the highest version of the TLS protocol supported by both the client and the server. - It is now possible to explicitly enable or disable the ECC and the new AES cipher suites to be used for TLS.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 85191
    published 2015-08-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85191
    title Scientific Linux Security Update : curl on SL6.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-2159.NASL
    description From Red Hat Security Advisory 2015:2159 : Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. (CVE-2014-3613) A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory. (CVE-2014-3707) It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests. (CVE-2014-8150) It was discovered that libcurl implemented aspects of the NTLM and Negotiate authentication incorrectly. If an application uses libcurl and the affected mechanisms in a specific way, certain requests to a previously NTLM-authenticated server could appears as sent by the wrong authenticated user. Additionally, the initial set of credentials for HTTP Negotiate-authenticated requests could be reused in subsequent requests, although a different set of credentials was specified. (CVE-2015-3143, CVE-2015-3148) Red Hat would like to thank the cURL project for reporting these issues. Bug fixes : * An out-of-protocol fallback to SSL 3.0 was available with libcurl. Attackers could abuse the fallback to force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this functionality can explicitly enable SSL 3.0 through the libcurl API. (BZ#1154060) * TLS 1.1 and TLS 1.2 are no longer disabled by default in libcurl. You can explicitly disable them through the libcurl API. (BZ#1170339) * FTP operations such as downloading files took a significantly long time to complete. Now, the FTP implementation in libcurl correctly sets blocking direction and estimated timeout for connections, resulting in faster FTP transfers. (BZ#1218272) Enhancements : * With the updated packages, it is possible to explicitly enable or disable new Advanced Encryption Standard (AES) cipher suites to be used for the TLS protocol. (BZ#1066065) * The libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on the libcurl multi API. The non-blocking SSL handshake has been implemented in libcurl, and the libcurl multi API now immediately returns the control back to the application whenever it cannot read or write data from or to the underlying network socket. (BZ#1091429) * The libcurl library used an unnecessarily long blocking delay for actions with no active file descriptors, even for short operations. Some actions, such as resolving a host name using /etc/hosts, took a long time to complete. The blocking code in libcurl has been modified so that the initial delay is short and gradually increases until an event occurs. (BZ#1130239) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 87028
    published 2015-11-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87028
    title Oracle Linux 7 : curl (ELSA-2015-2159)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-1254.NASL
    description Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. (CVE-2014-3613) A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory. (CVE-2014-3707) It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl to access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests. (CVE-2014-8150) It was discovered that libcurl implemented aspects of the NTLM and Negotiate authentication incorrectly. If an application uses libcurl and the affected mechanisms in a specific way, certain requests to a previously NTLM-authenticated server could appears as sent by the wrong authenticated user. Additionally, the initial set of credentials for HTTP Negotiate-authenticated requests could be reused in subsequent requests, although a different set of credentials was specified. (CVE-2015-3143, CVE-2015-3148) Red Hat would like to thank the cURL project for reporting these issues. Bug fixes : * An out-of-protocol fallback to SSL version 3.0 (SSLv3.0) was available with libcurl. Attackers could abuse the fallback to force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this functionality can explicitly enable SSLv3.0 through the libcurl API. (BZ#1154059) * A single upload transfer through the FILE protocol opened the destination file twice. If the inotify kernel subsystem monitored the file, two events were produced unnecessarily. The file is now opened only once per upload. (BZ#883002) * Utilities using libcurl for SCP/SFTP transfers could terminate unexpectedly when the system was running in FIPS mode. (BZ#1008178) * Using the '--retry' option with the curl utility could cause curl to terminate unexpectedly with a segmentation fault. Now, adding '--retry' no longer causes curl to crash. (BZ#1009455) * The 'curl --trace-time' command did not use the correct local time when printing timestamps. Now, 'curl --trace-time' works as expected. (BZ#1120196) * The valgrind utility could report dynamically allocated memory leaks on curl exit. Now, curl performs a global shutdown of the NetScape Portable Runtime (NSPR) library on exit, and valgrind no longer reports the memory leaks. (BZ#1146528) * Previously, libcurl returned an incorrect value of the CURLINFO_HEADER_SIZE field when a proxy server appended its own headers to the HTTP response. Now, the returned value is valid. (BZ#1161163) Enhancements : * The '--tlsv1.0', '--tlsv1.1', and '--tlsv1.2' options are available for specifying the minor version of the TLS protocol to be negotiated by NSS. The '--tlsv1' option now negotiates the highest version of the TLS protocol supported by both the client and the server. (BZ#1012136) * It is now possible to explicitly enable or disable the ECC and the new AES cipher suites to be used for TLS. (BZ#1058767, BZ#1156422) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 85009
    published 2015-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85009
    title CentOS 6 : curl (CESA-2015:1254)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-47.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-47 (cURL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers and bug reports referenced for details. Impact : Remote attackers could conduct a Man-in-the-Middle attack to obtain sensitive information, cause a Denial of Service condition, or execute arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2017-01-20
    plugin id 96644
    published 2017-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96644
    title GLSA-201701-47 : cURL: Multiple vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-6864.NASL
    description Update to 7.42.0 which fixes various CVE's Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-11-06
    plugin id 83212
    published 2015-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83212
    title Fedora 22 : mingw-curl-7.42.0-1.fc22 (2015-6864)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20151119_CURL_ON_SL7_X.NASL
    description It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. (CVE-2014-3613) A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory. (CVE-2014-3707) It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests. (CVE-2014-8150) It was discovered that libcurl implemented aspects of the NTLM and Negotatiate authentication incorrectly. If an application uses libcurl and the affected mechanisms in a specifc way, certain requests to a previously NTLM-authenticated server could appears as sent by the wrong authenticated user. Additionally, the initial set of credentials for HTTP Negotiate- authenticated requests could be reused in subsequent requests, although a different set of credentials was specified. (CVE-2015-3143, CVE-2015-3148) Bug fixes : - An out-of-protocol fallback to SSL 3.0 was available with libcurl. Attackers could abuse the fallback to force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this functionality can explicitly enable SSL 3.0 through the libcurl API. - TLS 1.1 and TLS 1.2 are no longer disabled by default in libcurl. You can explicitly disable them through the libcurl API. - FTP operations such as downloading files took a significantly long time to complete. Now, the FTP implementation in libcurl correctly sets blocking direction and estimated timeout for connections, resulting in faster FTP transfers. Enhancements : - With the updated packages, it is possible to explicitly enable or disable new Advanced Encryption Standard (AES) cipher suites to be used for the TLS protocol. - The libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on the libcurl multi API. The non-blocking SSL handshake has been implemented in libcurl, and the libcurl multi API now immediately returns the control back to the application whenever it cannot read or write data from or to the underlying network socket. - The libcurl library used an unnecessarily long blocking delay for actions with no active file descriptors, even for short operations. Some actions, such as resolving a host name using /etc/hosts, took a long time to complete. The blocking code in libcurl has been modified so that the initial delay is short and gradually increases until an event occurs.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 87554
    published 2015-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87554
    title Scientific Linux Security Update : curl on SL7.x x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-2159.NASL
    description Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. (CVE-2014-3613) A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory. (CVE-2014-3707) It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests. (CVE-2014-8150) It was discovered that libcurl implemented aspects of the NTLM and Negotiate authentication incorrectly. If an application uses libcurl and the affected mechanisms in a specific way, certain requests to a previously NTLM-authenticated server could appears as sent by the wrong authenticated user. Additionally, the initial set of credentials for HTTP Negotiate-authenticated requests could be reused in subsequent requests, although a different set of credentials was specified. (CVE-2015-3143, CVE-2015-3148) Red Hat would like to thank the cURL project for reporting these issues. Bug fixes : * An out-of-protocol fallback to SSL 3.0 was available with libcurl. Attackers could abuse the fallback to force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this functionality can explicitly enable SSL 3.0 through the libcurl API. (BZ#1154060) * TLS 1.1 and TLS 1.2 are no longer disabled by default in libcurl. You can explicitly disable them through the libcurl API. (BZ#1170339) * FTP operations such as downloading files took a significantly long time to complete. Now, the FTP implementation in libcurl correctly sets blocking direction and estimated timeout for connections, resulting in faster FTP transfers. (BZ#1218272) Enhancements : * With the updated packages, it is possible to explicitly enable or disable new Advanced Encryption Standard (AES) cipher suites to be used for the TLS protocol. (BZ#1066065) * The libcurl library did not implement a non-blocking SSL handshake, which negatively affected performance of applications based on the libcurl multi API. The non-blocking SSL handshake has been implemented in libcurl, and the libcurl multi API now immediately returns the control back to the application whenever it cannot read or write data from or to the underlying network socket. (BZ#1091429) * The libcurl library used an unnecessarily long blocking delay for actions with no active file descriptors, even for short operations. Some actions, such as resolving a host name using /etc/hosts, took a long time to complete. The blocking code in libcurl has been modified so that the initial delay is short and gradually increases until an event occurs. (BZ#1130239) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87138
    published 2015-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87138
    title CentOS 7 : curl (CESA-2015:2159)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-6853.NASL
    description Update to 7.42.0 which fixes various CVE's Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-11-06
    plugin id 83237
    published 2015-05-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83237
    title Fedora 21 : mingw-curl-7.42.0-1.fc21 (2015-6853)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-1254.NASL
    description From Red Hat Security Advisory 2015:1254 : Updated curl packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. (CVE-2014-3613) A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory. (CVE-2014-3707) It was discovered that the libcurl library failed to properly handle URLs with embedded end-of-line characters. An attacker able to make an application using libcurl to access a specially crafted URL via an HTTP proxy could use this flaw to inject additional headers to the request or construct additional requests. (CVE-2014-8150) It was discovered that libcurl implemented aspects of the NTLM and Negotiate authentication incorrectly. If an application uses libcurl and the affected mechanisms in a specific way, certain requests to a previously NTLM-authenticated server could appears as sent by the wrong authenticated user. Additionally, the initial set of credentials for HTTP Negotiate-authenticated requests could be reused in subsequent requests, although a different set of credentials was specified. (CVE-2015-3143, CVE-2015-3148) Red Hat would like to thank the cURL project for reporting these issues. Bug fixes : * An out-of-protocol fallback to SSL version 3.0 (SSLv3.0) was available with libcurl. Attackers could abuse the fallback to force downgrade of the SSL version. The fallback has been removed from libcurl. Users requiring this functionality can explicitly enable SSLv3.0 through the libcurl API. (BZ#1154059) * A single upload transfer through the FILE protocol opened the destination file twice. If the inotify kernel subsystem monitored the file, two events were produced unnecessarily. The file is now opened only once per upload. (BZ#883002) * Utilities using libcurl for SCP/SFTP transfers could terminate unexpectedly when the system was running in FIPS mode. (BZ#1008178) * Using the '--retry' option with the curl utility could cause curl to terminate unexpectedly with a segmentation fault. Now, adding '--retry' no longer causes curl to crash. (BZ#1009455) * The 'curl --trace-time' command did not use the correct local time when printing timestamps. Now, 'curl --trace-time' works as expected. (BZ#1120196) * The valgrind utility could report dynamically allocated memory leaks on curl exit. Now, curl performs a global shutdown of the NetScape Portable Runtime (NSPR) library on exit, and valgrind no longer reports the memory leaks. (BZ#1146528) * Previously, libcurl returned an incorrect value of the CURLINFO_HEADER_SIZE field when a proxy server appended its own headers to the HTTP response. Now, the returned value is valid. (BZ#1161163) Enhancements : * The '--tlsv1.0', '--tlsv1.1', and '--tlsv1.2' options are available for specifying the minor version of the TLS protocol to be negotiated by NSS. The '--tlsv1' option now negotiates the highest version of the TLS protocol supported by both the client and the server. (BZ#1012136) * It is now possible to explicitly enable or disable the ECC and the new AES cipher suites to be used for TLS. (BZ#1058767, BZ#1156422) All curl users are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 85096
    published 2015-07-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85096
    title Oracle Linux 6 : curl (ELSA-2015-1254)
redhat via4
advisories
rhsa
id RHSA-2015:1254
rpms
  • curl-0:7.19.7-46.el6
  • libcurl-0:7.19.7-46.el6
  • libcurl-devel-0:7.19.7-46.el6
  • curl-0:7.29.0-25.el7
  • libcurl-0:7.29.0-25.el7
  • libcurl-devel-0:7.29.0-25.el7
refmap via4
apple APPLE-SA-2015-08-13-2
bid 71964
confirm
debian DSA-3122
fedora
  • FEDORA-2015-0415
  • FEDORA-2015-0418
  • FEDORA-2015-6853
  • FEDORA-2015-6864
gentoo GLSA-201701-47
mandriva MDVSA-2015:021
sectrack 1032768
secunia
  • 61925
  • 62075
  • 62361
suse openSUSE-SU-2015:0248
ubuntu USN-2474-1
Last major update 07-12-2016 - 22:06
Published 15-01-2015 - 10:59
Last modified 04-01-2018 - 21:29
Back to Top