All errata/sisyphus/ALT-PU-2014-1748-2
ALT-PU-2014-1748-2

Package update curl in branch sisyphus

Version7.37.0-alt1
Task#120997
Published2026-02-04
Max severityMEDIUM
Severity:

Closed issues (2)

CVE-2015-3143
MEDIUM5.0

cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015.

Published: 2015-04-24Modified: 2025-04-12
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
References
CVE-2016-3739
MEDIUM5.3

The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.

Published: 2016-05-20Modified: 2025-04-12
CVSS 2.0LOW 2.6
CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:P/A:N
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
References