Описание
Security update for curl
This update for curl fixes the following issues:
- CVE-2016-0755: libcurl would reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer (bsc#962983)
The following non-security bugs were fixed:
- bsc#936676: secure_getenv or __secure_getenv may not be detected correctly at build time
The following tracked bugs only affect the test suite:
- bsc#962996: Expired cookie in test 46 caused test failures
- bsc#934333: Curl test suite was not run, is now enabled during build
Список пакетов
SUSE Linux Enterprise Desktop 12
curl-7.37.0-18.1
libcurl4-7.37.0-18.1
libcurl4-32bit-7.37.0-18.1
SUSE Linux Enterprise Desktop 12 SP1
curl-7.37.0-18.1
libcurl4-7.37.0-18.1
libcurl4-32bit-7.37.0-18.1
SUSE Linux Enterprise Server 12
curl-7.37.0-18.1
libcurl4-7.37.0-18.1
libcurl4-32bit-7.37.0-18.1
SUSE Linux Enterprise Server 12 SP1
curl-7.37.0-18.1
libcurl4-7.37.0-18.1
libcurl4-32bit-7.37.0-18.1
SUSE Linux Enterprise Server for SAP Applications 12
curl-7.37.0-18.1
libcurl4-7.37.0-18.1
libcurl4-32bit-7.37.0-18.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
curl-7.37.0-18.1
libcurl4-7.37.0-18.1
libcurl4-32bit-7.37.0-18.1
SUSE Linux Enterprise Software Development Kit 12
libcurl-devel-7.37.0-18.1
SUSE Linux Enterprise Software Development Kit 12 SP1
libcurl-devel-7.37.0-18.1
Ссылки
- Link for SUSE-SU-2016:0340-1
- E-Mail link for SUSE-SU-2016:0340-1
- SUSE Security Ratings
- SUSE Bug 934333
- SUSE Bug 936676
- SUSE Bug 962983
- SUSE Bug 962996
- SUSE CVE CVE-2016-0755 page
Описание
The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.
Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:curl-7.37.0-18.1
SUSE Linux Enterprise Desktop 12 SP1:libcurl4-32bit-7.37.0-18.1
SUSE Linux Enterprise Desktop 12 SP1:libcurl4-7.37.0-18.1
SUSE Linux Enterprise Desktop 12:curl-7.37.0-18.1
Ссылки
- CVE-2016-0755
- SUSE Bug 962983