USN-2591-1

See a problem?

Source

https://ubuntu.com/security/notices/USN-2591-1

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2591-1.json

JSON Data

https://api.osv.dev/v1/vulns/USN-2591-1

Related

CVE-2015-3143
CVE-2015-3144
CVE-2015-3145
CVE-2015-3148
CVE-2015-3153
UBUNTU-CVE-2015-3143
UBUNTU-CVE-2015-3144
UBUNTU-CVE-2015-3145
UBUNTU-CVE-2015-3148
UBUNTU-CVE-2015-3153

Published

2015-04-30T13:27:57.344288Z

Modified

2015-04-30T13:27:57.344288Z

Summary

curl vulnerabilities

Details

Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP credentials when subsequently connecting to the same host over HTTP. (CVE-2015-3143)

Hanno Böck discovered that curl incorrectly handled zero-length host names. If a user or automated system were tricked into using a specially crafted host name, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3144)

Hanno Böck discovered that curl incorrectly handled cookie path elements. If a user or automated system were tricked into parsing a specially crafted cookie, an attacker could possibly use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3145)

Isaac Boukris discovered that when using Negotiate authenticated connections, curl could incorrectly authenticate the entire connection and not just specific HTTP requests. (CVE-2015-3148)

Yehezkel Horowitz and Oren Souroujon discovered that curl sent HTTP headers both to servers and proxies by default, contrary to expectations. This issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3153)

References

Affected packages

Ubuntu:14.04:LTS / curl

Package

Name: curl
Purl: pkg:deb/ubuntu/curl@7.35.0-1ubuntu2.5?arch=src?distro=trusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.35.0-1ubuntu2.5

Affected versions

7.*

7.32.0-1ubuntu1

7.33.0-1ubuntu1

7.34.0-1ubuntu1

7.35.0-1ubuntu1

7.35.0-1ubuntu2

7.35.0-1ubuntu2.1

7.35.0-1ubuntu2.2

7.35.0-1ubuntu2.3

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "curl-udeb": "7.35.0-1ubuntu2.5",
            "curl": "7.35.0-1ubuntu2.5",
            "libcurl3-udeb": "7.35.0-1ubuntu2.5",
            "libcurl3": "7.35.0-1ubuntu2.5",
            "libcurl4-gnutls-dev": "7.35.0-1ubuntu2.5",
            "libcurl3-nss": "7.35.0-1ubuntu2.5",
            "libcurl4-doc": "7.35.0-1ubuntu2.5",
            "libcurl3-gnutls": "7.35.0-1ubuntu2.5",
            "libcurl3-dbg": "7.35.0-1ubuntu2.5",
            "libcurl4-nss-dev": "7.35.0-1ubuntu2.5",
            "libcurl4-openssl-dev": "7.35.0-1ubuntu2.5"
        }
    ]
}