Date: Wed, 2 Nov 2016 08:07:22 +0100 (CET) From: Daniel Stenberg <daniel@...x.se> To: curl security announcements -- curl users <curl-users@...l.haxx.se>, curl-announce@...l.haxx.se, libcurl hacking <curl-library@...l.haxx.se>, oss-security@...ts.openwall.com Subject: [SECURITY ADVISORY] curl case insensitive password comparison case insensitive password comparison ==================================== Project cURL Security Advisory, November 2, 2016 - [Permalink](https://curl.haxx.se/docs/adv_20161102B.html) VULNERABILITY ------------- When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. We are not aware of any exploit of this flaw. INFO ---- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-8616 to this issue. AFFECTED VERSIONS ----------------- This flaw exists in the following curl versions. - Affected versions: curl 7.7 to and including 7.50.3 - Not affected versions: curl < 7.7 and curl >= 7.51.0 libcurl is used by many applications, but not always advertised as such! THE SOLUTION ------------ In version 7.51.0, these functions will deny negative string lengths from being used. A [patch for CVE-2016-8616](https://curl.haxx.se/CVE-2016-8616.patch) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 7.51.0 B - Apply the patch to your version and rebuild TIME LINE --------- It was first reported to the curl project on September 23 by Cure53. We contacted distros@...nwall on October 19. curl 7.51.0 was released on November 2 2016, coordinated with the publication of this advisory. CREDITS ------- This vulnerability was found during a Secure Open Source audit performed by Cure53. -- / daniel.haxx.se
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ