Amazon Linux Local Security Checks : Amazon Linux: Security Advisory (ALAS-2015-477)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.120290

Categoría: Amazon Linux Local Security Checks

Título: Amazon Linux: Security Advisory (ALAS-2015-477)

Resumen: The remote host is missing an update for the 'curl' package(s) announced via the ALAS-2015-477 advisory.

Descripción: Summary:
The remote host is missing an update for the 'curl' package(s) announced via the ALAS-2015-477 advisory.

Vulnerability Insight:
The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information. (CVE-2014-3707)

CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL. (CVE-2014-8150)

Affected Software/OS:
'curl' package(s) on Amazon Linux.

Solution:
Please install the updated package(s).

CVSS Score:
4.3

CVSS Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2014-3707
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
BugTraq ID: 70988
http://www.securityfocus.com/bid/70988
Debian Security Information: DSA-3069 (Google Search)
http://www.debian.org/security/2014/dsa-3069
RedHat Security Advisories: RHSA-2015:1254
http://rhn.redhat.com/errata/RHSA-2015-1254.html
SuSE Security Announcement: openSUSE-SU-2015:0248 (Google Search)
http://lists.opensuse.org/opensuse-updates/2015-02/msg00040.html
http://www.ubuntu.com/usn/USN-2399-1
Common Vulnerability Exposure (CVE) ID: CVE-2014-8150
BugTraq ID: 71964
http://www.securityfocus.com/bid/71964
Debian Security Information: DSA-3122 (Google Search)
http://www.debian.org/security/2015/dsa-3122
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147876.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147856.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157188.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156945.html
https://security.gentoo.org/glsa/201701-47
http://www.mandriva.com/security/advisories?name=MDVSA-2015:021
http://www.securitytracker.com/id/1032768
http://secunia.com/advisories/61925
http://secunia.com/advisories/62075
http://secunia.com/advisories/62361
http://www.ubuntu.com/usn/USN-2474-1

Copyright Copyright (C) 2015 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.120290
Categoría:	Amazon Linux Local Security Checks
Título:	Amazon Linux: Security Advisory (ALAS-2015-477)
Resumen:	The remote host is missing an update for the 'curl' package(s) announced via the ALAS-2015-477 advisory.
Descripción:	Summary: The remote host is missing an update for the 'curl' package(s) announced via the ALAS-2015-477 advisory. Vulnerability Insight: The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information. (CVE-2014-3707) CRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL. (CVE-2014-8150) Affected Software/OS: 'curl' package(s) on Amazon Linux. Solution: Please install the updated package(s). CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-3707 http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html BugTraq ID: 70988 http://www.securityfocus.com/bid/70988 Debian Security Information: DSA-3069 (Google Search) http://www.debian.org/security/2014/dsa-3069 RedHat Security Advisories: RHSA-2015:1254 http://rhn.redhat.com/errata/RHSA-2015-1254.html SuSE Security Announcement: openSUSE-SU-2015:0248 (Google Search) http://lists.opensuse.org/opensuse-updates/2015-02/msg00040.html http://www.ubuntu.com/usn/USN-2399-1 Common Vulnerability Exposure (CVE) ID: CVE-2014-8150 BugTraq ID: 71964 http://www.securityfocus.com/bid/71964 Debian Security Information: DSA-3122 (Google Search) http://www.debian.org/security/2015/dsa-3122 http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147876.html http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147856.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157188.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/156945.html https://security.gentoo.org/glsa/201701-47 http://www.mandriva.com/security/advisories?name=MDVSA-2015:021 http://www.securitytracker.com/id/1032768 http://secunia.com/advisories/61925 http://secunia.com/advisories/62075 http://secunia.com/advisories/62361 http://www.ubuntu.com/usn/USN-2474-1
Copyright	Copyright (C) 2015 Greenbone AG