CVE-2015-3148

Published: 22 April 2015

cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.

Priority

Status

Package	Release	Status
curl Launchpad, Ubuntu, Debian	lucid	Ignored (end of life)
	precise	Released (7.22.0-3ubuntu4.14)
	trusty	Released (7.35.0-1ubuntu2.5)
	upstream	Released (7.42.0)
	utopic	Released (7.37.1-1ubuntu3.4)
	vivid	Released (7.38.0-3ubuntu2.2)
	Patches: upstream: http://curl.haxx.se/CVE-2015-3148.patch upstream: https://github.com/bagder/curl/commit/f78ae415d24b9bd89d6c121c556e411fdb21c6aa upstream: https://github.com/bagder/curl/commit/79b9d5f1a42578f807a6c94914bc65cbaa304b6d

References

http://curl.haxx.se/docs/adv_20150422B.html
https://ubuntu.com/security/notices/USN-2591-1
https://www.cve.org/CVERecord?id=CVE-2015-3148
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.