Your submission was sent successfully! Close

CVE-2015-3144

Published: 22 April 2015

The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80."

Notes

AuthorNote
mdeslaur
7.37.0+
Priority

Medium

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
lucid Not vulnerable

precise Not vulnerable

trusty Not vulnerable
(7.35.0-1ubuntu2.3)
upstream
Released (7.42.0)
utopic
Released (7.37.1-1ubuntu3.4)
vivid
Released (7.38.0-3ubuntu2.2)
Patches:
upstream: http://curl.haxx.se/CVE-2015-3144.patch