OracleVM 3.3 : curl (OVMSA-2015-0107)

Medium Nessus Plugin ID 85148


The remote OracleVM host is missing one or more security updates.


The remote OracleVM system is missing necessary patches to address critical security updates :

- require credentials to match for NTLM re-use (CVE-2015-3143)

- close Negotiate connections when done (CVE-2015-3148)

- reject CRLFs in URLs passed to proxy (CVE-2014-8150)

- use only full matches for hosts used as IP address in cookies (CVE-2014-3613)

- fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707)

- fix manpage typos found using aspell (#1011101)

- fix comments about loading CA certs with NSS in man pages (#1011083)

- fix handling of DNS cache timeout while a transfer is in progress (#835898)

- eliminate unnecessary inotify events on upload via file protocol (#883002)

- use correct socket type in the examples (#997185)

- do not crash if MD5 fingerprint is not provided by libssh2 (#1008178)

- fix SIGSEGV of curl --retry when network is down (#1009455)

- allow to use TLS 1.1 and TLS 1.2 (#1012136)

- docs: update the links to cipher-suites supported by NSS (#1104160)

- allow to use ECC ciphers if NSS implements them (#1058767)

- make curl --trace-time print correct time (#1120196)

- let tool call PR_Cleanup on exit if NSPR is used (#1146528)

- ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth (#1154747)

- allow to enable/disable new AES cipher-suites (#1156422)

- include response headers added by proxy in CURLINFO_HEADER_SIZE (#1161163)

- disable libcurl-level downgrade to SSLv3 (#1154059)

- do not force connection close after failed HEAD request (#1168137)

- fix occasional SIGSEGV during SSL handshake (#1168668)

- fix a connection failure when FTPS handle is reused (#1154663)

- fix re-use of wrong HTTP NTLM connection (CVE-2014-0015)

- fix connection re-use when using different log-in credentials (CVE-2014-0138)

- fix authentication failure when server offers multiple auth options (#799557)

- refresh expired cookie in test172 from upstream test-suite (#1069271)

- fix a memory leak caused by write after close (#1078562)

- nss: implement non-blocking SSL handshake (#1083742)


Update the affected curl / libcurl packages.

See Also

Plugin Details

Severity: Medium

ID: 85148

File Name: oraclevm_OVMSA-2015-0107.nasl

Version: $Revision: 2.2 $

Type: local

Published: 2015/07/31

Modified: 2017/02/14

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:curl, p-cpe:/a:oracle:vm:libcurl, cpe:/o:oracle:vm_server:3.3

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2015/07/30

Reference Information

CVE: CVE-2014-0015, CVE-2014-0138, CVE-2014-3613, CVE-2014-3707, CVE-2014-8150, CVE-2015-3143, CVE-2015-3148

BID: 65270, 66457, 69748, 70988, 71964, 74299, 74301

OSVDB: 102715, 104972, 111287, 114163, 116807, 121128, 121129