Daniel Stenberg reported the following vulnerability in cURL: libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP. libcurl features a pool of recent connections so that subsequent requests can re-use an existing connection to avoid overhead. When re-using a connection a range of criterion must first be met. Due to an error in the code, a transfer that was initiated by an application could wrongfully re-use an existing connection to the same server that was authenticated using different credentials. The existing logic basically only worked well enough for HTTP and FTP, while all other network protocols were silently, but erroneously, assumed to work like HTTP. Basically, protocols that use connection oriented authentication need a new connection when new credentials are used. Affected protocols include: SCP, SFTP, POP3(S), IMAP(S), SMTP(S) and LDAP(S). Applications can disable libcurl's re-use of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or aren't re-used: CURLOPT_FRESH_CONNECT, CURLOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS (if using curl_multi API). (This problem is very similar to a problem previously reported to NTLM HTTP connections, named CVE-2014-0015) Versions 7.10.6 to and including 7.35.0 are affected. The flaw is fixed in version 7.36.0 Acknowledgements: Red Hat would like to thank the cURL project for reporting this issue. Upstream acknowledges Steve Holme as the original reporter.
Fixed now in curl version 7.36.0. External References: http://curl.haxx.se/docs/adv_20140326A.html
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1080879]
Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1080880]
Created mingw32-curl tracking bugs for this issue: Affects: epel-5 [bug 1080891]
The following upstream patch makes the test-suite work with the fix applied: https://github.com/bagder/curl/commit/f82e0edc
curl-7.29.0-17.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
curl-7.32.0-8.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Upstream commit: https://github.com/bagder/curl/commit/517b06d
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0561 https://rhn.redhat.com/errata/RHSA-2014-0561.html
Statement: This issue affects the version of curl as shipped with Red Hat Enterprise Linux 5 and 7. The Red Hat Security Response Team has rated this issue as having Moderate security impact, a future update may address this flaw.