CVE-2014-3613: cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary…

CVE-2014-3613 [MEDIUM] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Tim Ruehsen discovered that curl incorrectly handled partial literal IP addresses. This could lead to the disclosure of cookies to the wrong site, and malicious sites being able to set cookies for others. (CVE-2014-3613) Tim Ruehsen discovered that curl incorrectly allowed cookies to be set for Top Level Domains (TLDs). This could allow a malicious site to set a cookie that gets sent to other sites. (CVE-2014-3620) Instructions: In general, a standard system update will make all the necessary changes.

CVE-2014-3613 [MEDIUM] CWE-20 curl: incorrect handling of IP addresses in cookie domain curl: incorrect handling of IP addresses in cookie domain cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. It was found that the libcurl library did not correctly handle partial literal IP addresses when parsing received HTTP cookies. An attacker able to trick a user into connecting to a malicious server could use this flaw to set the user's cookie to a crafted domain, making other cookie-related issues easier to exploit. Statement: This issue affects the versions of curl as shipped with Red Hat Enterprise Linux 5 and is not planned to be corrected in future updates. In

CVE-2014-3613 [MEDIUM] CVE-2014-3613: curl - cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie d... cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. Scope: local bookworm: resolved (fixed in 7.38.0-1) bullseye: resolved (fixed in 7.38.0-1) forky: resolved (fixed in 7.38.0-1) sid: resolved (fixed in 7.38.0-1) trixie: resolved (fixed in 7.38.0-1)

CVE-2014-3613 [MEDIUM] CVE-2014-3613: OS X Yosemite v10.10.5 and Security Update 2015-006 Apple Security Update: About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006 Product: OS X Yosemite v10.10.5 and Security Update 2015-006 CVE: CVE-2014-3613 Component: CVE-2014-3613

CVE-2014-3613 [MEDIUM] GHSA-gcmw-6qh5-324w: cURL and libcurl before 7 cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.

CVE-2014-3613 [MEDIUM] CVE-2014-3613: cURL and libcurl before 7 cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.

CVE-2014-3613 [MEDIUM] curl vulnerabilities curl vulnerabilities Tim Ruehsen discovered that curl incorrectly handled partial literal IP addresses. This could lead to the disclosure of cookies to the wrong site, and malicious sites being able to set cookies for others. (CVE-2014-3613) Tim Ruehsen discovered that curl incorrectly allowed cookies to be set for Top Level Domains (TLDs). This could allow a malicious site to set a cookie that gets sent to other sites. (CVE-2014-3620)

CVE-2014-3620 [MEDIUM] CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [epel-7] CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [epel-7] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora EPEL. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. epel-7 tracking bug for mingw-curl: see blocks bug list for full d

CVE-2014-3620 [MEDIUM] CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [fedora-all] CVE-2014-3620 CVE-2014-3613 mingw-curl: various flaws [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. Whi

CVE-2014-3613 [MEDIUM] CVE-2014-3613 curl: incorrect handling of IP addresses in cookie domain [fedora-all] CVE-2014-3613 curl: incorrect handling of IP addresses in cookie domain [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versi

CVE-2014-3613 [MEDIUM] CVE-2014-3613 curl: incorrect handling of IP addresses in cookie domain CVE-2014-3613 curl: incorrect handling of IP addresses in cookie domain Daniel Stenberg reported the following vulnerability in cURL that could cause libcurl-based HTTP clients to leak cookie information: IP address as domain problem By not detecting and rejecting domain names for partial literal IP addresses properly when parsing received HTTP cookies, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site and the site must send back cookies to the site using domain= and a partial IP address. Since libcurl wrongly approaches the IP address like it was a normal domain name, a site at IP address 192.168.0.