 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.1.1.2.2016.711 |
| Category: | Debian Local Security Checks |
| Title: | Debian: Security Advisory (DLA-711-1) |
| Summary: | The remote host is missing an update for the Debian 'curl' package(s) announced via the DLA-711-1 advisory. |
| Description: | Summary: The remote host is missing an update for the Debian 'curl' package(s) announced via the DLA-711-1 advisory. Vulnerability Insight: CVE-2016-8615 If cookie state is written into a cookie jar file that is later read back and used for subsequent requests, a malicious HTTP server can inject new cookies for arbitrary domains into said cookie jar. The issue pertains to the function that loads cookies into memory, which reads the specified file into a fixed-size buffer in a line-by-line manner using the `fgets()` function. If an invocation of fgets() cannot read the whole line into the destination buffer due to it being too small, it truncates the output. This way, a very long cookie (name + value) sent by a malicious server would be stored in the file and subsequently that cookie could be read partially and crafted correctly, it could be treated as a different cookie for another server. CVE-2016-8616 When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. CVE-2016-8617 In libcurl's base64 encode function, the output buffer is allocated as follows without any checks on insize: malloc( insize * 4 / 3 + 4 ) On systems with 32-bit addresses in userspace (e.g. x86, ARM, x32), the multiplication in the expression wraps around if insize is at least 1GB of data. If this happens, an undersized output buffer will be allocated, but the full result will be written, thus causing the memory behind the output buffer to be overwritten. Systems with 64 bit versions of the `size_t` type are not affected by this issue. CVE-2016-8618 The libcurl API function called `curl_maprintf()` can be tricked into doing a double-free due to an unsafe `size_t` multiplication, on systems using 32 bit `size_t` variables. The function is also used internallty in numerous situations. Systems with 64 bit versions of the `size_t` type are not affected by this issue. CVE-2016-8619 In curl's implementation of the Kerberos authentication mechanism, the function `read_data()` in security.c is used to fill the necessary krb5 structures. When reading one of the length fields from the socket, it fails to ensure that the length parameter passed to realloc() is not set to 0. CVE-2016-8621 The `curl_getdate` converts a given date string into a numerical timestamp and it supports a range of different formats and possibilites to express a date and time. The underlying date parsing function is also used internally when parsing for example HTTP cookies (possibly received from remote servers) and it can be used when doing conditional HTTP requests. CVE-2016-8622 The URL percent-encoding decode function in libcurl is called `curl_easy_unescape`. Internally, even if this function would be made to allocate a unescape destination buffer ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'curl' package(s) on Debian 7. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2016-8615 BugTraq ID: 94096 http://www.securityfocus.com/bid/94096 https://security.gentoo.org/glsa/201701-47 https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E RedHat Security Advisories: RHSA-2018:2486 https://access.redhat.com/errata/RHSA-2018:2486 RedHat Security Advisories: RHSA-2018:3558 https://access.redhat.com/errata/RHSA-2018:3558 http://www.securitytracker.com/id/1037192 Common Vulnerability Exposure (CVE) ID: CVE-2016-8616 BugTraq ID: 94094 http://www.securityfocus.com/bid/94094 Common Vulnerability Exposure (CVE) ID: CVE-2016-8617 BugTraq ID: 94097 http://www.securityfocus.com/bid/94097 Common Vulnerability Exposure (CVE) ID: CVE-2016-8618 BugTraq ID: 94098 http://www.securityfocus.com/bid/94098 Common Vulnerability Exposure (CVE) ID: CVE-2016-8619 BugTraq ID: 94100 http://www.securityfocus.com/bid/94100 Common Vulnerability Exposure (CVE) ID: CVE-2016-8621 BugTraq ID: 94101 http://www.securityfocus.com/bid/94101 Common Vulnerability Exposure (CVE) ID: CVE-2016-8622 BugTraq ID: 94105 http://www.securityfocus.com/bid/94105 Common Vulnerability Exposure (CVE) ID: CVE-2016-8623 BugTraq ID: 94106 http://www.securityfocus.com/bid/94106 Common Vulnerability Exposure (CVE) ID: CVE-2016-8624 BugTraq ID: 94103 http://www.securityfocus.com/bid/94103 https://curl.haxx.se/docs/adv_20161102J.html https://lists.apache.org/thread.html/rfaa4d578587f52a9c4d176af516a681a712c664e3be440a4163691d5@%3Ccommits.pulsar.apache.org%3E |
| Copyright | Copyright (C) 2023 Greenbone AG |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |