Mandriva Linux Security Advisory : curl (MDVSA-2014:187)

Medium Nessus Plugin ID 77887

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Updated curl packages fix security vulnerabilities :

In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site (CVE-2014-3613).

In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain (CVE-2014-3620).

Solution

Update the affected packages.

See Also

http://advisories.mageia.org/MGASA-2014-0385.html

Plugin Details

Severity: Medium

ID: 77887

File Name: mandriva_MDVSA-2014-187.nasl

Version: 1.4

Type: local

Published: 2014/09/26

Updated: 2018/07/19

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:curl, p-cpe:/a:mandriva:linux:curl-examples, p-cpe:/a:mandriva:linux:lib64curl-devel, p-cpe:/a:mandriva:linux:lib64curl4, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2014/09/25

Reference Information

CVE: CVE-2014-3613, CVE-2014-3620

BID: 69742, 69748

MDVSA: 2014:187