CVE-2016-0755: The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote…

CVE-2016-0755 [HIGH] CVE-2016-0755: macOS Sierra 10.12 Apple Security Update: About the security content of macOS Sierra 10.12 Product: macOS Sierra Version: 10.12 CVE: CVE-2016-0755 Component: CoreDisplay Impact: A user with screen sharing access may be able to view another user's screen Description: A session management issue existed in the handling of screen sharing sessions. This issue was addressed through improved session tracking.

CVE-2016-0755 [MEDIUM] CWE-287 curl: NTLM credentials not-checked for proxy connection re-use curl: NTLM credentials not-checked for proxy connection re-use The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015. Package: curl (Red Hat Enterprise Linux 5) - Will not fix Package: curl (Red Hat Enterprise Linux 6) - Will not fix Package: curl (Red Hat Enterprise Linux 7) - Will not fix Package: curl (Red Hat JBoss Enterprise Web Server 3) - Will not fix Package: httpd24-curl (Red Hat Software Collections) - Not affected

CVE-2016-0755 curl vulnerability Title: curl vulnerability Summary: curl would incorrectly re-use credentials. Isaac Boukris discovered that curl could incorrectly re-use NTLM proxy credentials when subsequently connecting to the same host. Instructions: In general, a standard system update will make all the necessary changes.

CVE-2016-0755 [MEDIUM] CVE-2016-0755: curl - The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not pro... The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015. Scope: local bookworm: resolved (fixed in 7.47.0-1) bullseye: resolved (fixed in 7.47.0-1) forky: resolved (fixed in 7.47.0-1) sid: resolved (fixed in 7.47.0-1) trixie: resolved (fixed in 7.47.0-1)

CVE-2016-0755 [MEDIUM] CWE-287 GHSA-ff7q-9j5g-56pg: The ConnectionExists function in lib/url The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.

CVE-2016-0755 [MEDIUM] CVE-2016-0755: The ConnectionExists function in lib/url The ConnectionExists function in lib/url.c in libcurl before 7.47.0 does not properly re-use NTLM-authenticated proxy connections, which might allow remote attackers to authenticate as other users via a request, a similar issue to CVE-2014-0015.

CVE-2016-7404 [CRITICAL] CVE-2016-7404 openstack-magnum: Magnum created instances have full API access to creating user's OpenStack account CVE-2016-7404 openstack-magnum: Magnum created instances have full API access to creating user's OpenStack account Multiple potential vulnerabilities were found in openstack-magnum. * Permissions for /etc/sysconfig/heat-params inside Magnum created instances were 0755 * The cluster's Keystone trust id was passed into instances for clusters where it was not needed. * Clusters that need trust_id to be passed into instances to work could be created. Upstream patch: https://git.openstack.org/cgit/openstack/magnum/commit/?id=0bb0d6486d6771ee21bbf897a091b1aa59e01b22 Discussion: Fixed in magnum 3.2.0- https://docs.openstack.org/releasenotes/magnum/newton.html --- Created openstack-magnum tracking bugs for this issue: Affects: openstack-rdo [bug 1455030]

CVE-2016-0755 [HIGH] CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use A vulnerability was found in a way libcurl uses NTLM-authenticated proxy connections. Libcurl will reuse NTLM-authenticated proxy connections without properly making sure, that the connection was authenticated with the same credentials as set for this transfer. Upstream bug report: http://curl.haxx.se/docs/adv_20160127A.html Upstream patch: http://curl.haxx.se/CVE-2016-0755.patch Acknowledgements: Red Hat would like to thank curl upstream for reporting this issue. Upstream acknowledges Isaac Boukris as the original reporter. Discussion: Created curl tracking bugs for this issue: Affects: fedora-all [bug 1302265] --- Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1302264] Aff

CVE-2016-0755 [HIGH] CVE-2016-0755 mingw-curl: curl: NTLM credentials not-checked for proxy connection re-use [fedora-all] CVE-2016-0755 mingw-curl: curl: NTLM credentials not-checked for proxy connection re-use [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multipl

CVE-2016-0755 [HIGH] CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use [fedora-all] CVE-2016-0755 curl: NTLM credentials not-checked for proxy connection re-use [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported

CVE-2016-0755 [HIGH] CVE-2016-0755 mingw-curl: curl: NTLM credentials not-checked for proxy connection re-use [epel-7] CVE-2016-0755 mingw-curl: curl: NTLM credentials not-checked for proxy connection re-use [epel-7] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora EPEL. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. epel-7 tracking bug for mingw-c