Bug 1053903 (CVE-2014-0015)
Summary: | CVE-2014-0015 curl: re-use of wrong HTTP NTLM connection in libcurl | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | jkurik, kdudka, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | curl 7.35.0 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-10-24 13:11:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1059326, 1059327, 1097085, 1097086 | ||
Bug Blocks: | 1053909 |
Description
Vincent Danen
2014-01-15 23:47:10 UTC
Acknowledgements: Red Hat would like to thank the cURL project for reporting this issue. Upstream acknowledges Paras Sethia as the original reporter and Yehezkel Horowitz for discovering the security impact. This is corrected upstream: https://github.com/bagder/curl/commit/8ae35102c43d8d fixed in curl-7.35.0-1.fc21 This affects libcurl 7.10.6 to and including 7.34.0. It is fixed in version 7.35.0. External References: http://curl.haxx.se/docs/security.html#20140129 Created curl tracking bugs for this issue: Affects: fedora-all [bug 1059327] curl-7.32.0-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. curl-7.29.0-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Mitigation: Avoid using HTTP NTLM in your application. If you must use NTLM authentication, ensure that it is the only requested authentication method (use --ntlm specifically, do not use --anyauth or other authentication methods). This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0561 https://rhn.redhat.com/errata/RHSA-2014-0561.html Statement: This issue affects the version of curl as shipped with Red Hat Enterprise Linux 5 and 7. The Red Hat Security Response Team has rated this issue as having Moderate security impact, a future update may address this flaw. |