Detections
Analytics

Mandriva Linux Security Advisory : curl (MDVSA-2014:187)

medium Nessus Plugin ID 77887

Language:

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Updated curl packages fix security vulnerabilities :

In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site (CVE-2014-3613).

In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain (CVE-2014-3620).

Solution

Update the affected packages.

See Also

http://advisories.mageia.org/MGASA-2014-0385.html

Plugin Details

Severity: Medium

ID: 77887

File Name: mandriva_MDVSA-2014-187.nasl

Version: 1.6

Type: local

Published: 9/26/2014

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:curl, p-cpe:/a:mandriva:linux:curl-examples, p-cpe:/a:mandriva:linux:lib64curl-devel, p-cpe:/a:mandriva:linux:lib64curl4, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 9/25/2014

Reference Information

CVE: CVE-2014-3613, CVE-2014-3620

BID: 69742, 69748

MDVSA: 2014:187