Rapid7 Vulnerability & Exploit Database

RHSA-2014:0561: curl security and bug fix update

Back to Search

RHSA-2014:0561: curl security and bug fix update

Severity
6
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Published
04/15/2014
Created
07/25/2018
Added
05/28/2014
Modified
07/04/2017

Description

cURL provides the libcurl library and a command line tool for downloadingfiles from servers using various protocols, including HTTP, FTP, and LDAP.It was found that libcurl could incorrectly reuse existing connections forrequests that should have used different or no authentication credentials,when using one of the following protocols: HTTP(S) with NTLMauthentication, LDAP(S), SCP, or SFTP. If an application using the libcurllibrary connected to a remote server with certain authenticationcredentials, this flaw could cause other requests to use those samecredentials. (CVE-2014-0015, CVE-2014-0138)Red Hat would like to thank the cURL project for reporting these issues.Upstream acknowledges Paras Sethia as the original reporter ofCVE-2014-0015 and Yehezkel Horowitz for discovering the security impact ofthis issue, and Steve Holme as the original reporter of CVE-2014-0138.This update also fixes the following bugs:All curl users are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. All runningapplications that use libcurl have to be restarted for this update totake effect.

Solution(s)

  • redhat-upgrade-curl
  • redhat-upgrade-curl-debuginfo
  • redhat-upgrade-libcurl
  • redhat-upgrade-libcurl-devel

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;