Headline
CVE-2014-3620: Debian -- Security Information -- DSA-3022-1 curl
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.
Debian Security Advisory
Date Reported:
10 Sep 2014
Affected Packages:
curl
Vulnerable:
Yes
Security database references:
In Mitre’s CVE dictionary: CVE-2014-3613, CVE-2014-3620.
More information:
Two vulnerabilities have been discovered in cURL, an URL transfer library. They can be use to leak cookie information:
CVE-2014-3613
By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others.
CVE-2014-3620
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.
For the stable distribution (wheezy), these problems have been fixed in version 7.26.0-1+wheezy10.
For the testing distribution (jessie), these problems have been fixed in version 7.38.0-1.
For the unstable distribution (sid), these problems have been fixed in version 7.38.0-1.
We recommend that you upgrade your curl packages.
Related news
Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 5.5.57 and earlier, 5.6.37 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect availability via vectors related to GIS.