CVE-2015-3148
Published: 22 April 2015
cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.
Priority
Status
Package | Release | Status |
---|---|---|
curl Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Released
(7.22.0-3ubuntu4.14)
|
|
trusty |
Released
(7.35.0-1ubuntu2.5)
|
|
upstream |
Released
(7.42.0)
|
|
utopic |
Released
(7.37.1-1ubuntu3.4)
|
|
vivid |
Released
(7.38.0-3ubuntu2.2)
|
|
Patches: upstream: http://curl.haxx.se/CVE-2015-3148.patch upstream: https://github.com/bagder/curl/commit/f78ae415d24b9bd89d6c121c556e411fdb21c6aa upstream: https://github.com/bagder/curl/commit/79b9d5f1a42578f807a6c94914bc65cbaa304b6d |