CVE-2016-8624 log
| Source |
|
| Severity | Medium |
| Remote | Yes |
| Type | Insufficient validation |
| Description | curl doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use a URL parser that follows the RFC to check for allowed domains before using curl to request them. Passing in http://example.com#@evil.com/x.txt would wrongly make curl send a request to evil.com while your browser would connect to example.com given the same URL. The problem exists for most protocol schemes. |
| Group | Package | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|---|
| AVG-66 | lib32-libcurl-gnutls | 7.50.3-1 | 7.51.0-1 | High | Fixed | |
| AVG-65 | libcurl-gnutls | 7.50.3-1 | 7.51.0-1 | High | Fixed | |
| AVG-63 | lib32-libcurl-compat | 7.50.3-1 | 7.51.0-1 | High | Fixed | |
| AVG-62 | libcurl-compat | 7.50.3-1 | 7.51.0-1 | High | Fixed | |
| AVG-61 | lib32-curl | 7.50.3-1 | 7.51.0-1 | High | Fixed | |
| AVG-60 | curl | 7.50.3-1 | 7.51.0-1 | High | Fixed |
| Date | Advisory | Group | Package | Severity | Type |
|---|---|---|---|---|---|
| 03 Nov 2016 | ASA-201611-9 | AVG-65 | libcurl-gnutls | High | multiple issues |
| 03 Nov 2016 | ASA-201611-8 | AVG-62 | libcurl-compat | High | multiple issues |
| 03 Nov 2016 | ASA-201611-7 | AVG-60 | curl | High | multiple issues |
| 02 Nov 2016 | ASA-201611-5 | AVG-63 | lib32-libcurl-compat | High | multiple issues |
| 02 Nov 2016 | ASA-201611-4 | AVG-61 | lib32-curl | High | multiple issues |
| 03 Nov 2016 | ASA-201611-10 | AVG-66 | lib32-libcurl-gnutls | High | multiple issues |
| References |
|---|
https://curl.haxx.se/docs/adv_20161102J.html |