CVE-2016-8624 log

Source
Severity Medium
Remote Yes
Type Insufficient validation
Description
curl doesn't parse the authority component of the URL correctly when the host name part ends with a '#' character, and could instead be tricked into connecting to a different host. This may have security implications if you for example use a URL parser that follows the RFC to check for allowed domains before using curl to request them.

Passing in http://example.com#@evil.com/x.txt would wrongly make curl send a request to evil.com while your browser would connect to example.com given the same URL.

The problem exists for most protocol schemes.
Group Package Affected Fixed Severity Status Ticket
AVG-66 lib32-libcurl-gnutls 7.50.3-1 7.51.0-1 High Fixed
AVG-65 libcurl-gnutls 7.50.3-1 7.51.0-1 High Fixed
AVG-63 lib32-libcurl-compat 7.50.3-1 7.51.0-1 High Fixed
AVG-62 libcurl-compat 7.50.3-1 7.51.0-1 High Fixed
AVG-61 lib32-curl 7.50.3-1 7.51.0-1 High Fixed
AVG-60 curl 7.50.3-1 7.51.0-1 High Fixed
Date Advisory Group Package Severity Description
03 Nov 2016 ASA-201611-9 AVG-65 libcurl-gnutls High multiple issues
03 Nov 2016 ASA-201611-8 AVG-62 libcurl-compat High multiple issues
03 Nov 2016 ASA-201611-7 AVG-60 curl High multiple issues
02 Nov 2016 ASA-201611-5 AVG-63 lib32-libcurl-compat High multiple issues
02 Nov 2016 ASA-201611-4 AVG-61 lib32-curl High multiple issues
03 Nov 2016 ASA-201611-10 AVG-66 lib32-libcurl-gnutls High multiple issues
References
https://curl.haxx.se/docs/adv_20161102J.html