{"id":"MGASA-2015-0179","summary":"Updated curl packages fix security vulnerabilities","details":"Updated curl packages fix security vulnerabilities:\n\nNTLM-authenticated connections could be wrongly reused for requests without\nany credentials set, leading to HTTP requests being sent over the connection\nauthenticated as a different user (CVE-2015-3143).\n\nWhen parsing HTTP cookies, if the parsed cookie's \"path\" element consists of a\nsingle double-quote, libcurl would try to write to an invalid heap memory\naddress. This could allow remote attackers to cause a denial of service\n(crash) (CVE-2015-3145).\n\nWhen doing HTTP requests using the Negotiate authentication method along with\nNTLM, the connection used would not be marked as authenticated, making it\npossible to reuse it and send requests for one user over the connection\nauthenticated as a different user (CVE-2015-3148).\n","modified":"2026-04-16T01:49:17.562381375Z","published":"2015-05-03T00:19:16Z","upstream":["CVE-2015-3143","CVE-2015-3145","CVE-2015-3148"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0179.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=15746"},{"type":"WEB","url":"http://curl.haxx.se/docs/adv_20150422A.html"},{"type":"WEB","url":"http://curl.haxx.se/docs/adv_20150422D.html"},{"type":"WEB","url":"http://curl.haxx.se/docs/adv_20150422B.html"},{"type":"WEB","url":"https://www.debian.org/security/2015/dsa-3232"}],"affected":[{"package":{"name":"curl","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/curl?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.34.0-1.6.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0179.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}