Mandriva Linux Security Advisory : curl (MDVSA-2014:187)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Updated curl packages fix security vulnerabilities :

In cURL before 7.38.0, libcurl can be fooled to both sending cookies
to wrong sites and into allowing arbitrary sites to set cookies for
others. For this problem to trigger, the client application must use
the numerical IP address in the URL to access the site
(CVE-2014-3613).

In cURL before 7.38.0, libcurl wrongly allows cookies to be set for
Top Level Domains (TLDs), thus making them apply broader than cookies
are allowed. This can allow arbitrary sites to set cookies that then
would get sent to a different and unrelated site or domain
(CVE-2014-3620).

See also :

http://advisories.mageia.org/MGASA-2014-0385.html

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Mandriva Local Security Checks

Nessus Plugin ID: 77887 ()

Bugtraq ID: 69742
69748

CVE ID: CVE-2014-3613
CVE-2014-3620

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now