Upstream information

CVE-2016-0755 at MITRE

Description

The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.

SUSE information

CVSS v2 Scores
  National Vulnerability Database
Base Score 4.96
Vector AV:N/AC:L/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None
CVSS v3 Scores
  National Vulnerability Database
Base Score 7.3
Vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Access Vector Network
Access Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Impact Low
Integrity Impact Low
Availability Impact Low
SUSE Bugzilla entry: 962983 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Desktop 11 SP3
  • curl >= 7.19.7-1.46.1
  • libcurl4 >= 7.19.7-1.46.1
  • libcurl4-32bit >= 7.19.7-1.46.1
Patchnames:
sledsp3-curl-12385
SUSE Linux Enterprise Desktop 11 SP4
  • curl >= 7.19.7-1.46.1
  • libcurl4 >= 7.19.7-1.46.1
  • libcurl4-32bit >= 7.19.7-1.46.1
Patchnames:
sledsp4-curl-12385
SUSE Linux Enterprise Desktop 12
  • curl >= 7.37.0-18.1
  • libcurl4 >= 7.37.0-18.1
  • libcurl4-32bit >= 7.37.0-18.1
Patchnames:
SUSE-SLE-DESKTOP-12-2016-201
SUSE Linux Enterprise Desktop 12 SP1
  • curl >= 7.37.0-18.1
  • libcurl4 >= 7.37.0-18.1
  • libcurl4-32bit >= 7.37.0-18.1
Patchnames:
SUSE-SLE-DESKTOP-12-SP1-2016-201
SUSE Linux Enterprise Desktop 12 SP2
  • curl >= 7.37.0-28.1
  • libcurl4 >= 7.37.0-28.1
  • libcurl4-32bit >= 7.37.0-28.1
Patchnames:
SUSE Linux Enterprise Desktop 12 SP2 GA curl
SUSE Linux Enterprise Module for Containers 12
  • sles11sp4-docker-image >= 1.1.1-20160304104123
Patchnames:
SUSE-SLE-Module-Containers-12-2016-457
SUSE Linux Enterprise Server 11 SP3
  • curl >= 7.19.7-1.46.1
  • libcurl4 >= 7.19.7-1.46.1
  • libcurl4-32bit >= 7.19.7-1.46.1
  • libcurl4-x86 >= 7.19.7-1.46.1
Patchnames:
slessp3-curl-12385
SUSE Linux Enterprise Server 11 SP4
  • curl >= 7.19.7-1.46.1
  • libcurl4 >= 7.19.7-1.46.1
  • libcurl4-32bit >= 7.19.7-1.46.1
  • libcurl4-x86 >= 7.19.7-1.46.1
Patchnames:
slessp4-curl-12385
SUSE Linux Enterprise Server 12
  • curl >= 7.37.0-18.1
  • libcurl4 >= 7.37.0-18.1
  • libcurl4-32bit >= 7.37.0-18.1
Patchnames:
SUSE-SLE-SERVER-12-2016-201
SUSE Linux Enterprise Server 12 SP1
  • curl >= 7.37.0-18.1
  • libcurl4 >= 7.37.0-18.1
  • libcurl4-32bit >= 7.37.0-18.1
Patchnames:
SUSE-SLE-SERVER-12-SP1-2016-201
SUSE Linux Enterprise Server 12 SP2
  • curl >= 7.37.0-28.1
  • libcurl4 >= 7.37.0-28.1
  • libcurl4-32bit >= 7.37.0-28.1
Patchnames:
SUSE Linux Enterprise Server 12 SP2 GA curl
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
  • curl >= 7.37.0-28.1
  • libcurl4 >= 7.37.0-28.1
Patchnames:
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 GA curl
SUSE Linux Enterprise Server for VMWare 11 SP3
  • curl >= 7.19.7-1.46.1
  • libcurl4 >= 7.19.7-1.46.1
  • libcurl4-32bit >= 7.19.7-1.46.1
  • libcurl4-x86 >= 7.19.7-1.46.1
Patchnames:
slessp3-curl-12385
SUSE Linux Enterprise Software Development Kit 11 SP3
  • curl >= 7.19.7-1.46.1
  • libcurl-devel >= 7.19.7-1.46.1
Patchnames:
sdksp3-curl-12385
SUSE Linux Enterprise Software Development Kit 11 SP4
  • curl >= 7.19.7-1.46.1
  • libcurl-devel >= 7.19.7-1.46.1
Patchnames:
sdksp4-curl-12385
SUSE Linux Enterprise Software Development Kit 12
  • curl >= 7.37.0-18.1
  • libcurl-devel >= 7.37.0-18.1
Patchnames:
SUSE-SLE-SDK-12-2016-201
SUSE Linux Enterprise Software Development Kit 12 SP1
  • curl >= 7.37.0-18.1
  • libcurl-devel >= 7.37.0-18.1
Patchnames:
SUSE-SLE-SDK-12-SP1-2016-201
SUSE Linux Enterprise Software Development Kit 12 SP2
  • libcurl-devel >= 7.37.0-28.1
Patchnames:
SUSE Linux Enterprise Software Development Kit 12 SP2 GA libcurl-devel
openSUSE 13.1
  • curl >= 7.42.1-2.50.1
  • curl-debuginfo >= 7.42.1-2.50.1
  • curl-debugsource >= 7.42.1-2.50.1
  • libcurl-devel >= 7.42.1-2.50.1
  • libcurl-devel-32bit >= 7.42.1-2.50.1
  • libcurl4 >= 7.42.1-2.50.1
  • libcurl4-32bit >= 7.42.1-2.50.1
  • libcurl4-debuginfo >= 7.42.1-2.50.1
  • libcurl4-debuginfo-32bit >= 7.42.1-2.50.1
Patchnames:
2016-170
openSUSE 13.2
  • curl >= 7.42.1-19.1
  • curl-debuginfo >= 7.42.1-19.1
  • curl-debugsource >= 7.42.1-19.1
  • libcurl-devel >= 7.42.1-19.1
  • libcurl-devel-32bit >= 7.42.1-19.1
  • libcurl4 >= 7.42.1-19.1
  • libcurl4-32bit >= 7.42.1-19.1
  • libcurl4-debuginfo >= 7.42.1-19.1
  • libcurl4-debuginfo-32bit >= 7.42.1-19.1
Patchnames:
openSUSE-2016-153
openSUSE Leap 42.1
  • curl >= 7.37.0-7.1
  • curl-debuginfo >= 7.37.0-7.1
  • curl-debugsource >= 7.37.0-7.1
  • libcurl-devel >= 7.37.0-7.1
  • libcurl-devel-32bit >= 7.37.0-7.1
  • libcurl4 >= 7.37.0-7.1
  • libcurl4-32bit >= 7.37.0-7.1
  • libcurl4-debuginfo >= 7.37.0-7.1
  • libcurl4-debuginfo-32bit >= 7.37.0-7.1
Patchnames:
openSUSE-2016-152
openSUSE Leap 42.2
  • curl >= 7.37.0-15.1
  • libcurl-devel >= 7.37.0-15.1
  • libcurl4 >= 7.37.0-15.1
Patchnames:
openSUSE Leap 42.2 GA curl
openSUSE Tumbleweed
  • curl >= 7.51.0-1.1
  • libcurl-devel >= 7.51.0-1.1
  • libcurl-devel-32bit >= 7.51.0-1.1
  • libcurl4 >= 7.51.0-1.1
  • libcurl4-32bit >= 7.51.0-1.1
Patchnames:
openSUSE Tumbleweed GA curl