ID CVE-2017-2628
Summary curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.
References
Vulnerable Configurations
  • cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*
    cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 09-10-2019 - 23:26)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1422464
title CVE-2017-2628 curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 6 is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • comment curl is earlier than 0:7.19.7-53.el6_9
          oval oval:com.redhat.rhsa:tst:20170847001
        • comment curl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110918012
      • AND
        • comment libcurl is earlier than 0:7.19.7-53.el6_9
          oval oval:com.redhat.rhsa:tst:20170847003
        • comment libcurl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110918014
      • AND
        • comment libcurl-devel is earlier than 0:7.19.7-53.el6_9
          oval oval:com.redhat.rhsa:tst:20170847005
        • comment libcurl-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110918016
rhsa
id RHSA-2017:0847
released 2017-03-29
severity Moderate
title RHSA-2017:0847: curl security update (Moderate)
rpms
  • curl-0:7.19.7-53.el6_9
  • curl-debuginfo-0:7.19.7-53.el6_9
  • libcurl-0:7.19.7-53.el6_9
  • libcurl-devel-0:7.19.7-53.el6_9
refmap via4
bid 97187
confirm https://bugzilla.redhat.com/show_bug.cgi?id=1422464
Last major update 09-10-2019 - 23:26
Published 12-03-2018 - 15:29
Last modified 09-10-2019 - 23:26
Back to Top