Your submission was sent successfully! Close

CVE-2015-3148

Published: 22 April 2015

cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request.

Priority

Medium

Status

Package Release Status
curl
Launchpad, Ubuntu, Debian
lucid Ignored
(reached end-of-life)
precise
Released (7.22.0-3ubuntu4.14)
trusty
Released (7.35.0-1ubuntu2.5)
upstream
Released (7.42.0)
utopic
Released (7.37.1-1ubuntu3.4)
vivid
Released (7.38.0-3ubuntu2.2)
Patches:
upstream: http://curl.haxx.se/CVE-2015-3148.patch
upstream: https://github.com/bagder/curl/commit/f78ae415d24b9bd89d6c121c556e411fdb21c6aa (bp)
upstream: https://github.com/bagder/curl/commit/79b9d5f1a42578f807a6c94914bc65cbaa304b6d