CVE-2014-0138
Published: 27 March 2014
The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.
Priority
Status
Package | Release | Status |
---|---|---|
curl Launchpad, Ubuntu, Debian |
upstream |
Released
(7.36.0)
|
lucid |
Released
(7.19.7-1ubuntu1.7)
|
|
precise |
Released
(7.22.0-3ubuntu4.8)
|
|
quantal |
Released
(7.27.0-1ubuntu1.9)
|
|
saucy |
Released
(7.32.0-1ubuntu1.4)
|
|
Patches: upstream: http://curl.haxx.se/libcurl-bad-reuse.patch upstream: https://github.com/bagder/curl/commit/378af08c99299683eb728fd8f9d3d3ab05f73ec0 (bp) upstream: https://github.com/bagder/curl/commit/d765099813f58153cb859279c743e6494d179341 (bp) upstream: https://github.com/bagder/curl/commit/517b06d657aceb11a234b05cc891170c367ab80d upstream: https://github.com/bagder/curl/commit/f82e0edc171b33528bc4f59036505d98ecf1d816 |