Описание
Security update for curl
This curl update fixes the following security issues:
Security Issue references:
Список пакетов
SUSE Linux Enterprise Desktop 11 SP3
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP3-TERADATA
SUSE Linux Enterprise Server for SAP Applications 11 SP3
SUSE Linux Enterprise Software Development Kit 11 SP3
Ссылки
- Link for SUSE-SU-2015:0962-1
- E-Mail link for SUSE-SU-2015:0962-1
- SUSE Security Ratings
- SUSE Bug 824517
- SUSE Bug 849596
- SUSE Bug 858673
- SUSE Bug 868627
- SUSE Bug 868629
- SUSE Bug 870444
- SUSE Bug 927174
- SUSE Bug 927556
- SUSE Bug 927746
- SUSE Bug 928533
- SUSE CVE CVE-2013-2174 page
- SUSE CVE CVE-2013-4545 page
- SUSE CVE CVE-2014-0015 page
- SUSE CVE CVE-2014-0138 page
- SUSE CVE CVE-2014-0139 page
- SUSE CVE CVE-2015-3143 page
- SUSE CVE CVE-2015-3148 page
Описание
Heap-based buffer overflow in the curl_easy_unescape function in lib/escape.c in cURL and libcurl 7.7 through 7.30.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string ending in a "%" (percent) character.
Затронутые продукты
Ссылки
- CVE-2013-2174
- SUSE Bug 824517
- SUSE Bug 917692
Описание
cURL and libcurl 7.18.0 through 7.32.0, when built with OpenSSL, disables the certificate CN and SAN name field verification (CURLOPT_SSL_VERIFYHOST) when the digital signature verification (CURLOPT_SSL_VERIFYPEER) is disabled, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Затронутые продукты
Ссылки
- CVE-2013-4545
- SUSE Bug 849596
- SUSE Bug 870444
- SUSE Bug 880252
- SUSE Bug 882520
- SUSE Bug 924250
Описание
cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.
Затронутые продукты
Ссылки
- CVE-2014-0015
- SUSE Bug 858673
- SUSE Bug 868627
- SUSE Bug 880252
- SUSE Bug 882520
- SUSE Bug 927556
- SUSE Bug 962983
Описание
The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.
Затронутые продукты
Ссылки
- CVE-2014-0138
- SUSE Bug 868627
- SUSE Bug 880252
- SUSE Bug 882520
Описание
cURL and libcurl 7.1 before 7.36.0, when using the OpenSSL, axtls, qsossl or gskit libraries for TLS, recognize a wildcard IP address in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
Затронутые продукты
Ссылки
- CVE-2014-0139
- SUSE Bug 868629
- SUSE Bug 880252
- SUSE Bug 882520
Описание
cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.
Затронутые продукты
Ссылки
- CVE-2015-3143
- SUSE Bug 927556
Описание
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
Затронутые продукты
Ссылки
- CVE-2015-3148
- SUSE Bug 1092962
- SUSE Bug 927746
Описание
The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.
Затронутые продукты
Ссылки
- CVE-2015-3153
- SUSE Bug 928533
- SUSE Bug 951391