CVE-2015-3148

Published: 22 April 2015

cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.

Priority

Medium

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
Upstream
Released (7.42.0)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.35.0-1ubuntu2.5)
Patches:
Upstream: http://curl.haxx.se/CVE-2015-3148.patch
Upstream: https://github.com/bagder/curl/commit/f78ae415d24b9bd89d6c121c556e411fdb21c6aa (bp)
Upstream: https://github.com/bagder/curl/commit/79b9d5f1a42578f807a6c94914bc65cbaa304b6d