curl-7.19.7-37.AXS4.3
エラータID: AXSA:2014-397:01
リリース日:
2014/06/14 Saturday - 21:16
題名:
curl-7.19.7-37.AXS4.3
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- cURL と libcurl には,複数の認証メソッドが有効な場合,NTLM コネクションを再利用し,リクエストによって攻撃者が他のユーザとして認証される脆弱性があります。(CVE-2014-0015)
- cURL と libcurl のデフォルト設定は (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, (10) LDAPS コネクションを再利用し,リクエストによって攻撃者が他のユーザとして接続する脆弱性があります。
この脆弱性は CVE-2014-0015 と類似する問題です。(CVE-2014-0138)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2014-0015
cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.
cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request.
CVE-2014-0138
The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.
The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015.
追加情報:
N/A
ダウンロード:
SRPMS
- curl-7.19.7-37.AXS4.3.src.rpm
MD5: f7c8f583fe86d2f535b7b6541c599c2e
SHA-256: ace951c6a83890bd006eb7117fe8b87e14db2fd75d9dbdb310adca13b2432bb3
Size: 2.01 MB
Asianux Server 4 for x86
- curl-7.19.7-37.AXS4.3.i686.rpm
MD5: 9f65acc6d87169efa03c567dc14728ec
SHA-256: 842b3bedaa4b60194c27efb04084b126287ed0f3c613fb1d4823fdd57361ee7e
Size: 193.40 kB - libcurl-7.19.7-37.AXS4.3.i686.rpm
MD5: d3c59a0603761ad316cd7225381bd4c8
SHA-256: 50d7d500631cd3b410675b5515920a61454800708519eae11176eab85c215b97
Size: 171.65 kB - libcurl-devel-7.19.7-37.AXS4.3.i686.rpm
MD5: 29c3b2ed02cfad997d0811e5f4201dd8
SHA-256: 41657d048893905312cd883d19508f58205128fffc21ee86a8fc7e7b708c870d
Size: 243.96 kB
Asianux Server 4 for x86_64
- curl-7.19.7-37.AXS4.3.x86_64.rpm
MD5: 8c5c6d1f23831d066e88cb885e4c68e4
SHA-256: f0679a415169f669075dbd9d6be48d874d8f4aeb46dc83be6980ed46a358b5c5
Size: 193.07 kB - libcurl-7.19.7-37.AXS4.3.x86_64.rpm
MD5: 592cbf495f3c656c8d21df0f35a22d6d
SHA-256: 9f36e23be53fa24cd0037c25d1c9f2013cdac33e63c284d5c8c65a0637b7fcc2
Size: 164.71 kB - libcurl-devel-7.19.7-37.AXS4.3.x86_64.rpm
MD5: 99a6157ac7c794a1f7d07a7fc76b95f4
SHA-256: 3d2be704b12f9d2783852c73d60883280dd68743163eec563298d37cecb72334
Size: 243.53 kB - libcurl-7.19.7-37.AXS4.3.i686.rpm
MD5: d3c59a0603761ad316cd7225381bd4c8
SHA-256: 50d7d500631cd3b410675b5515920a61454800708519eae11176eab85c215b97
Size: 171.65 kB - libcurl-devel-7.19.7-37.AXS4.3.i686.rpm
MD5: 29c3b2ed02cfad997d0811e5f4201dd8
SHA-256: 41657d048893905312cd883d19508f58205128fffc21ee86a8fc7e7b708c870d
Size: 243.96 kB