{"id":"MGASA-2014-0385","summary":"Updated curl packages fix security vulnerabilities","details":"Updated curl packages fix security vulnerabilities:\n\nIn cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong\nsites and into allowing arbitrary sites to set cookies for others. For this\nproblem to trigger, the client application must use the numerical IP address\nin the URL to access the site (CVE-2014-3613).\n\nIn cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level\nDomains (TLDs), thus making them apply broader than cookies are allowed. This\ncan allow arbitrary sites to set cookies that then would get sent to a\ndifferent and unrelated site or domain (CVE-2014-3620).\n","modified":"2026-02-04T03:38:32.236666Z","published":"2014-09-24T16:44:28Z","related":["CVE-2014-3613","CVE-2014-3620"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0385.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=14088"},{"type":"REPORT","url":"http://curl.haxx.se/docs/adv_20140910A.html"},{"type":"REPORT","url":"http://curl.haxx.se/docs/adv_20140910B.html"}],"affected":[{"package":{"name":"curl","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/curl?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.34.0-1.3.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0385.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}