{"id":"MGASA-2014-0153","summary":"Updated curl packages fix multiple vulnerabilities","details":"Updated curl packages fix security vulnerabilities:\n\nParas Sethia discovered that libcurl would sometimes mix up multiple HTTP\nand HTTPS connections with NTLM authentication to the same server, sending\nrequests for one user over the connection authenticated as a different user\n(CVE-2014-0015).\n\nlibcurl can in some circumstances re-use the wrong connection when asked to\ndo transfers using other protocols than HTTP and FTP, causing a transfer\nthat was initiated by an application to wrongfully re-use an existing\nconnection to the same server that was authenticated using different\ncredentials (CVE-2014-0138).\n\nlibcurl incorrectly validates wildcard SSL certificates containing literal\nIP addresses, so under certain conditions, it would allow and use a wildcard\nmatch specified in the CN field, allowing a malicious server to participate\nin a MITM attack or just fool users into believing that it is a legitimate\nsite (CVE-2014-0139).\n","modified":"2026-02-04T02:26:44.788255Z","published":"2014-04-03T00:56:35Z","related":["CVE-2014-0015","CVE-2014-0138","CVE-2014-0139"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0153.html"},{"type":"REPORT","url":"http://curl.haxx.se/docs/adv_20140129.html"},{"type":"REPORT","url":"http://curl.haxx.se/docs/adv_20140326A.html"},{"type":"REPORT","url":"http://curl.haxx.se/docs/adv_20140326B.html"},{"type":"REPORT","url":"http://www.debian.org/security/2014/dsa-2849"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=12476"}],"affected":[{"package":{"name":"curl","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/curl?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.28.1-6.4.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0153.json"}},{"package":{"name":"curl","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/curl?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.34.0-1.2.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0153.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}