Detections
Analytics

OracleVM 3.3 : curl (OVMSA-2015-0107)

medium Nessus Plugin ID 85148

Language:

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

 - require credentials to match for NTLM re-use (CVE-2015-3143)

 - close Negotiate connections when done (CVE-2015-3148)

 - reject CRLFs in URLs passed to proxy (CVE-2014-8150)

 - use only full matches for hosts used as IP address in cookies (CVE-2014-3613)

 - fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707)

 - fix manpage typos found using aspell (#1011101)

 - fix comments about loading CA certs with NSS in man pages (#1011083)

 - fix handling of DNS cache timeout while a transfer is in progress (#835898)

 - eliminate unnecessary inotify events on upload via file protocol (#883002)

 - use correct socket type in the examples (#997185)

 - do not crash if MD5 fingerprint is not provided by libssh2 (#1008178)

 - fix SIGSEGV of curl --retry when network is down (#1009455)

 - allow to use TLS 1.1 and TLS 1.2 (#1012136)

 - docs: update the links to cipher-suites supported by NSS (#1104160)

 - allow to use ECC ciphers if NSS implements them (#1058767)

 - make curl --trace-time print correct time (#1120196)

 - let tool call PR_Cleanup on exit if NSPR is used (#1146528)

 - ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth (#1154747)

 - allow to enable/disable new AES cipher-suites (#1156422)

 - include response headers added by proxy in CURLINFO_HEADER_SIZE (#1161163)

 - disable libcurl-level downgrade to SSLv3 (#1154059)

 - do not force connection close after failed HEAD request (#1168137)

 - fix occasional SIGSEGV during SSL handshake (#1168668)

 - fix a connection failure when FTPS handle is reused (#1154663)

 - fix re-use of wrong HTTP NTLM connection (CVE-2014-0015)

 - fix connection re-use when using different log-in credentials (CVE-2014-0138)

 - fix authentication failure when server offers multiple auth options (#799557)

 - refresh expired cookie in test172 from upstream test-suite (#1069271)

 - fix a memory leak caused by write after close (#1078562)

 - nss: implement non-blocking SSL handshake (#1083742)

Solution

Update the affected curl / libcurl packages.

See Also

https://oss.oracle.com/pipermail/oraclevm-errata/2015-July/000355.html

Plugin Details

Severity: Medium

ID: 85148

File Name: oraclevm_OVMSA-2015-0107.nasl

Version: 2.5

Type: local

Published: 7/31/2015

Updated: 1/4/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:curl, p-cpe:/a:oracle:vm:libcurl, cpe:/o:oracle:vm_server:3.3

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/30/2015

Vulnerability Publication Date: 2/1/2014

Reference Information

CVE: CVE-2014-0015, CVE-2014-0138, CVE-2014-3613, CVE-2014-3707, CVE-2014-8150, CVE-2015-3143, CVE-2015-3148

BID: 65270, 66457, 69748, 70988, 71964, 74299, 74301