Detections
Analytics
Debian DSA-2902-1 : curl - security update
medium Nessus Plugin ID 73486
Language:
Synopsis
The remote Debian host is missing a security-related update.Description
Two vulnerabilities have been discovered in cURL, an URL transfer library. The Common Vulnerabilities and Exposures project identifies the following problems :- CVE-2014-0138 Steve Holme discovered that libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP.
- CVE-2014-0139 Richard Moore from Westpoint Ltd. reported that libcurl does not behave compliant to RFC 2828 under certain conditions and incorrectly validates wildcard SSL certificates containing literal IP addresses.
Solution
Upgrade the curl packages.For the oldstable distribution (squeeze), these problems have been fixed in version 7.21.0-2.1+squeeze8.
For the stable distribution (wheezy), these problems have been fixed in version 7.26.0-1+wheezy9.
See Also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742728
https://security-tracker.debian.org/tracker/CVE-2014-0138
https://security-tracker.debian.org/tracker/CVE-2014-0139
https://packages.debian.org/source/squeeze/curl
Plugin Details
Severity: Medium
ID: 73486
File Name: debian_DSA-2902.nasl
Version: 1.11
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 4/14/2014
Updated: 1/11/2021
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.2
CVSS v2
Risk Factor: Medium
Base Score: 6.4
Temporal Score: 5.6
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:curl, cpe:/o:debian:debian_linux:6.0, cpe:/o:debian:debian_linux:7.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: No known exploits are available
Patch Publication Date: 4/13/2014
Reference Information
CVE: CVE-2014-0138, CVE-2014-0139
DSA: 2902