Mandriva Linux Security Advisory 2015-213 - lftp incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site. lftp was affected by this issue as it uses code from cURL for checking SSL certificates. The curl package was fixed in MDVSA-2015:098.
0e94abe5e27fe5c6984390ceef5e20904126efa7257c4f4f53cde5ada9829724
Mandriva Linux Security Advisory 2015-098 - Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user. libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials. Various other issues were also addressed.
238c9d05fcd4c3b08f5247b6e8c3855e7a760b684bb0b2f4b2fd169a52c9dffc
Gentoo Linux Security Advisory 201406-21 - Multiple vulnerabilities have been discovered in cURL, the worst of which could lead to man-in-the-middle attacks. Versions less than 7.36.0 are affected.
090b15096d43be2a5496a00652c5582533b2fa4c98c5f69f159e282331632787
Mandriva Linux Security Advisory 2014-110 - Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user. libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials. libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site.
75ea9fddd56a8f483f19f04372a8d6ef9a7dc3e7b6a70eeaa8e03e77757a707c
Debian Linux Security Advisory 2902-1 - Two vulnerabilities have been discovered in cURL, an URL transfer library.
da3502c130f203873bf0e759e38b393026c7502c6a847b54750aeb3fb5affbd9
Ubuntu Security Notice 2167-1 - Steve Holme discovered that libcurl incorrectly reused wrong connections when using protocols other than HTTP and FTP. This could lead to the use of unintended credentials, possibly exposing sensitive information. Richard Moore discovered that libcurl incorrectly validated wildcard SSL certificates that contain literal IP addresses. An attacker could possibly exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Various other issues were also addressed.
d2b70d65e2f00a87b476048dbbdf46b1ba245dc916bb699db1c4197934f87024
Slackware Security Advisory - New curl packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
4fbd2389486aa3af7ea8d9c620951216e696c1a2f7cd4f5c668793bc276a08f3