Home / mailings [USN-2591-1] curl vulnerabilities
Posted on 30 April 2015
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-2591-1
April 30, 2015
curl vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in curl.
Software Description:
- curl: HTTP, HTTPS, and FTP client and client libraries
Details:
Paras Sethia discovered that curl could incorrectly re-use NTLM HTTP
credentials when subsequently connecting to the same host over HTTP.
(CVE-2015-3143)
Hanno B=C3=B6ck discovered that curl incorrectly handled zero-length host=
names.
If a user or automated system were tricked into using a specially crafted=
host name, an attacker could possibly use this issue to cause curl to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 14.10 and Ubuntu 15.04.
(CVE-2015-3144)
Hanno B=C3=B6ck discovered that curl incorrectly handled cookie path elem=
ents.
If a user or automated system were tricked into parsing a specially craft=
ed
cookie, an attacker could possibly use this issue to cause curl to crash,=
resulting in a denial of service, or possibly execute arbitrary code. Thi=
s
issue only affected Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04.
(CVE-2015-3145)
Isaac Boukris discovered that when using Negotiate authenticated
connections, curl could incorrectly authenticate the entire connection an=
d
not just specific HTTP requests. (CVE-2015-3148)
Yehezkel Horowitz and Oren Souroujon discovered that curl sent HTTP heade=
rs
both to servers and proxies by default, contrary to expectations. This
issue only affected Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-3153)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 15.04:
libcurl3 7.38.0-3ubuntu2.2
libcurl3-gnutls 7.38.0-3ubuntu2.2
libcurl3-nss 7.38.0-3ubuntu2.2
Ubuntu 14.10:
libcurl3 7.37.1-1ubuntu3.4
libcurl3-gnutls 7.37.1-1ubuntu3.4
libcurl3-nss 7.37.1-1ubuntu3.4
Ubuntu 14.04 LTS:
libcurl3 7.35.0-1ubuntu2.5
libcurl3-gnutls 7.35.0-1ubuntu2.5
libcurl3-nss 7.35.0-1ubuntu2.5
Ubuntu 12.04 LTS:
libcurl3 7.22.0-3ubuntu4.14
libcurl3-gnutls 7.22.0-3ubuntu4.14
libcurl3-nss 7.22.0-3ubuntu4.14
In general, a standard system update will make all the necessary changes.=
References:
http://www.ubuntu.com/usn/usn-2591-1
CVE-2015-3143, CVE-2015-3144, CVE-2015-3145, CVE-2015-3148,
CVE-2015-3153
Package Information:
https://launchpad.net/ubuntu/+source/curl/7.38.0-3ubuntu2.2
https://launchpad.net/ubuntu/+source/curl/7.37.1-1ubuntu3.4
https://launchpad.net/ubuntu/+source/curl/7.35.0-1ubuntu2.5
https://launchpad.net/ubuntu/+source/curl/7.22.0-3ubuntu4.14
