You are here

curl: Four vulnerabilities fixed in Version 7.42.0

IDs: 
CVE-2015-3144, CVE-2015-3145, CVE-2015-3148, CVE-2015-3143
Keywords: 
curl, NTLM
Description: 

Curl released a new version 7.42.0 fixing four vulnerabilities.

Airlock WAF is not affected.

Details:

CVE-2015-3144: Out of bound memory access if a zero-length host name in a URL is processed by curl. Airlock WAF is not affected because zero-length host names in URLs are never forwarded to curl in Airlock WAF.

CVE-2015-3145: Out of boundary memory access if a path element in a set-cookie response contains a single double-quote. This is not relevant for Airlock WAF because back-end cookies are trusted and can not be manipulated from external.

CVE-2015-3148/CVE-2015-3143: Affects the re-using logic of authenticated connection, e.g. in the case of NTLM. Airlock WAF is not affected because for NTLM back-end authentication Airlock WAF forces a new connection with every request (no TCP keep-alive).

Resolution: 

no action required

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required