Bug 1463849 - Multiple vulnerabilities with Red Hat provided cURL packages ( CVE-2016-8615 CVE-2016-8616 CVE-2016-8617 CVE-2016-8618 CVE-2016-8619 CVE-2016-8620 CVE-2016-8621 CVE-2016-8622 CVE-2016-8623 CVE-2016-8624 CVE-2016-8625)
Multiple vulnerabilities with Red Hat provided cURL packages ( CVE-2016-8615 ...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: curl (Show other bugs)
6.8
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Kamil Dudka
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-21 18:26 EDT by RK Davies
Modified: 2017-06-22 03:02 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-22 03:02:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description RK Davies 2017-06-21 18:26:07 EDT
CVE-2016-8615 
Problem: curl: Cookie injection for other servers 
Impact: Moderate 
Business Impact: Threatens PCI Compliance
RedHat decision to fix: Will not fix 

CVE-2016-8616 
Problem: curl: Case insensitive password comparison 
Impact: Low 
Business Impact: Threatens PCI Compliance
RedHat decision to fix: Will not fix 

CVE-2016-8619 
Problem: curl: Double-free in krb5 code 
RedHat decision to fix: Will not fix 
Impact: Moderate 
Business Impact: Threatens PCI Compliance

CVE-2016-8621 
Problem: curl: curl_getdate out-of-bounds read 
RedHat decision to fix: Will not fix 
Impact: Low 
Business Impact: Threatens PCI Compliance

CVE-2016-8623 
Problem: curl: Use-after-free via shared cookies 
RedHat decision to fix: Will not fix 
Impact: Low 
Business Impact: Threatens PCI Compliance

CVE-2016-8624 
Problem: curl: Invalid URL parsing with '#' 
RedHat decision to fix: Will not fix 
Impact: Moderate 
Business Impact: Threatens PCI Compliance

CVE-2016-8625 
Problem: curl: IDNA 2003 makes curl use wrong host 
RedHat decision to fix: Will not fix 
Impact: Moderate
Business Impact: Threatens PCI Compliance


Version-Release number of selected component (if applicable):
curl 7.12.0 to and including 7.50.3
curl-7.15.5-17.el5_9.x86_64 specifically installed from RHEL sources

How reproducible:
This affected package gets installed to all deployments of RHEL6.8 (Possibly other versions as well)

Steps to Reproduce:
1. Deploy new installation of RHEL 6.8 with cURL installed
2. $ rpm -qa | grep -i curl
curl-7.15.5-17.el5_9.x86_64

Expected results:
A version not affected by the above listed CVE's. Either 

Additional info:
PCI Compliance / Audits require vendor supplied patches to active vulnerabilities within a timely manner as defined by current corp. vuln management policies. Current automated vulnerability scans are picking up the above mentioned version of cURL and listing these servers as vulnerable for a number of the CVE references listed above.
Comment 2 Kamil Dudka 2017-06-22 03:02:17 EDT
All of the above CVEs are already tracked.  See the following bugs for details:

https://bugzilla.redhat.com/CVE-2016-8615 
https://bugzilla.redhat.com/CVE-2016-8616 
https://bugzilla.redhat.com/CVE-2016-8619 
https://bugzilla.redhat.com/CVE-2016-8621 
https://bugzilla.redhat.com/CVE-2016-8623 
https://bugzilla.redhat.com/CVE-2016-8624 
https://bugzilla.redhat.com/CVE-2016-8625 

It does not make any sense to create duplicated bug reports for them in Bugzilla.  If you are a customer of Red Hat, please contact Product Support regarding your concerns.

Note You need to log in before you can comment on or make changes to this bug.