ID CVE-2017-2628
Summary curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.
References
Vulnerable Configurations
  • cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*
    cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 09-10-2019 - 23:26)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1422464
title CVE-2017-2628 curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment curl is earlier than 0:7.19.7-53.el6_9
        oval oval:com.redhat.rhsa:tst:20170847009
      • comment curl is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110918016
    • AND
      • comment libcurl is earlier than 0:7.19.7-53.el6_9
        oval oval:com.redhat.rhsa:tst:20170847007
      • comment libcurl is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110918020
    • AND
      • comment libcurl-devel is earlier than 0:7.19.7-53.el6_9
        oval oval:com.redhat.rhsa:tst:20170847005
      • comment libcurl-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110918018
rhsa
id RHSA-2017:0847
released 2017-03-29
severity Moderate
title RHSA-2017:0847: curl security update (Moderate)
rpms
  • curl-0:7.19.7-53.el6_9
  • libcurl-0:7.19.7-53.el6_9
  • libcurl-devel-0:7.19.7-53.el6_9
refmap via4
bid 97187
confirm https://bugzilla.redhat.com/show_bug.cgi?id=1422464
Last major update 09-10-2019 - 23:26
Published 12-03-2018 - 15:29
Back to Top