1 |
type: security |
2 |
subject: Updated curl package fixes security vulnerability |
3 |
CVE: |
4 |
- CVE-2015-3236 |
5 |
- CVE-2015-3237 |
6 |
src: |
7 |
5: |
8 |
core: |
9 |
- curl-7.40.0-3.1.mga5 |
10 |
description: | |
11 |
libcurl can wrongly send HTTP credentials when re-using connections. Even |
12 |
if the handle for an HTTP connection is reset, it retains the credentials, |
13 |
which can cause them to be unintentionally leaked in subsequent requests |
14 |
(CVE-2015-3236). |
15 |
|
16 |
libcurl can get tricked by a malicious SMB server to send off data it did |
17 |
not intend to. A malicious SMB server can use this to access arbitrary |
18 |
process memory, or to crash the client, causing a denial of service |
19 |
(CVE-2015-3237). |
20 |
references: |
21 |
- https://bugs.mageia.org/show_bug.cgi?id=16140 |
22 |
- http://curl.haxx.se/docs/adv_20150617A.html |
23 |
- http://curl.haxx.se/docs/adv_20150617B.html |
24 |
ID: MGASA-2015-0263 |