Red Hat Security Advisory 2015-2159-06 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory.
4c8f1214c87209b025a888e27c36d8b6ff081c288e2cfca9b6e90d6d41fae18dApple Security Advisory 2015-08-13-2 - OS X Yosemite 10.10.5 and Security Update 2015-006 is now available and addresses vulnerabilities in Apache, the OD plug-in, IOBluetoothHCIController, and more.
1ccd5f307af57152abb6e4f0da773ca4420fb7a6e98f26301366a9071ecc9a33Red Hat Security Advisory 2015-1254-02 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory.
0ed5cabcb944358c959adc7aca7eed2a6fdaaf3a1626d9b045adaa54f8d1b50fMandriva Linux Security Advisory 2015-098 - Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user. libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials. Various other issues were also addressed.
238c9d05fcd4c3b08f5247b6e8c3855e7a760b684bb0b2f4b2fd169a52c9dffcMandriva Linux Security Advisory 2014-187 - In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site. In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level Domains , thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.
b3f22c75a92b1ce4ae6784727ffb767952bc3783b07b4700c6e473764db78e78Ubuntu Security Notice 2346-1 - Tim Ruehsen discovered that curl incorrectly handled partial literal IP addresses. This could lead to the disclosure of cookies to the wrong site, and malicious sites being able to set cookies for others. Tim Ruehsen discovered that curl incorrectly allowed cookies to be set for Top Level Domains (TLDs). This could allow a malicious site to set a cookie that gets sent to other sites.
569add75b7a86ea622af485c4086142e1e91cb1b462d2168fa594424e1de799cDebian Linux Security Advisory 3022-1 - Two vulnerabilities have been discovered in cURL, an URL transfer library. They can be use to leak cookie information.
5c7afe71736f0b0541d990e07c5812c715b4de0cb69860da5982335e93295eab
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed