Main Vulnerability Database SB2016062203

SB2016062203 - Input validation error in curl (Alpine package)

Published: June 22, 2016

Security Bulletin ID SB2016062203

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2016-3739)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.

Remediation

Install update from vendor's website.

References

https://git.alpinelinux.org/aports/commit/?id=a1b55b6823e02216a8e5ca9662b815e3f2813bc9
https://git.alpinelinux.org/aports/commit/?id=b239069ea8896f7ba3f0993699263357c17ea425