ID

VAR-201902-0100


CVE

CVE-2019-3822


TITLE

libcurl Buffer error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-001733

DESCRIPTION

libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received data. The check that exists to prevent the local buffer from getting overflowed is implemented wrongly (using unsigned math) and as such it does not prevent the overflow from happening. This output data can grow larger than the local buffer if very large 'nt response' data is extracted from a previous NTLMv2 header provided by the malicious or broken HTTP server. Such a 'large value' needs to be around 1000 bytes or more. The actual payload data copied to the target buffer comes from the NTLMv2 type-2 response header. libcurl Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. cURL/libcURL is prone to the following vulnerabilities: 1. A stack-based buffer-overflow vulnerability 2. A heap-based buffer-overflow vulnerability Attackers can exploit these issues to cause denial-of-service conditions. Due to the nature of these issues, arbitrary code execution may be possible, but this has not been confirmed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201903-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: cURL: Multiple vulnerabilities Date: March 10, 2019 Bugs: #665292, #670026, #677346 ID: 201903-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in cURL, the worst of which could result in a Denial of Service condition. Background ========== A command line tool and library for transferring data with URLs. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/curl < 7.64.0 >= 7.64.0 Description =========== Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All cURL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/curl-7.64.0" References ========== [ 1 ] CVE-2018-14618 https://nvd.nist.gov/vuln/detail/CVE-2018-14618 [ 2 ] CVE-2018-16839 https://nvd.nist.gov/vuln/detail/CVE-2018-16839 [ 3 ] CVE-2018-16840 https://nvd.nist.gov/vuln/detail/CVE-2018-16840 [ 4 ] CVE-2018-16842 https://nvd.nist.gov/vuln/detail/CVE-2018-16842 [ 5 ] CVE-2019-3822 https://nvd.nist.gov/vuln/detail/CVE-2019-3822 [ 6 ] CVE-2019-3823 https://nvd.nist.gov/vuln/detail/CVE-2019-3823 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201903-03 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . CVE-2018-16890 Wenxiang Qian of Tencent Blade Team discovered that the function handling incoming NTLM type-2 messages does not validate incoming data correctly and is subject to an integer overflow vulnerability, which could lead to an out-of-bounds buffer read. For the stable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u9. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAlxbSaAACgkQbwzL4CFi RygmtA/9HlrFg7QuCYikB1GTMvAfWtmk8vV19wr+zXcG4zxjC5MSubJStmg6Fhn7 Hl4Ar+UpqF79IM02yw4drAhci7BksQtGw/akExCDtI/+jw+BeHyHSR0GApwNlrIp k1t0c/ExxLKAPQKB4hxuxs0FdZGiJxO02Ld39O4PVf9c7IkBu0bRcbVbEajvIggh RFZN8HmUaqcN57MXu1Jrb9J0XWCyiGHjqEwBY0Q7/SI7cDuV5o8LiRFBeF/J2ByZ cSW7C980qQ9t1pru3BCAoAJxX7hl+fJPxub7oeZ1FehuQKMhxS/x2vQVgG6ni02z dccgYs+JVAaLhfqMUVNdieMwvyUuVbGsLVJ15HFRs8WGMlq9qRuHVfKBteZGPkHm zXbMaQ8lndNUN/El9JmaL4EEz4yIF/ZyQaniXGLu7iUPHtlJsFSl6Rjjc6q1Fg1u rAH4xNX2G4XV6MLH0LaQmaNgSLXSQn/er7QaUFEjCkzlRGob3DXWqexB2RhyNmp2 Hg5CrMT1d9VWFXS40CdiccPK+Bu0sEwuyzHWJMAQ2gRZ8Wv5MbqqOH8T9yLwXEgB u3MnQsWHs8nNKGs/ca6y6sRFMNhjVTA1Xwe12ZrO5UqZmpZJHgmSYEslboaLffGa zi3ucm1DATRJcTbMYvpZhS60QjkYr2nXgBwYYABTb2ZvDOTE6j4ILC -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: curl security and bug fix update Advisory ID: RHSA-2019:3701-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:3701 Issue date: 2019-11-05 CVE Names: CVE-2018-16890 CVE-2018-20483 CVE-2019-3822 CVE-2019-3823 ===================================================================== 1. Summary: An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: NTLM type-2 heap out-of-bounds buffer read (CVE-2018-16890) * wget: Information exposure in set_file_metadata function in xattr.c (CVE-2018-20483) * curl: NTLMv2 type-3 header stack buffer overflow (CVE-2019-3822) * curl: SMTP end-of-response out-of-bounds read (CVE-2019-3823) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1662705 - CVE-2018-20483 wget: Information exposure in set_file_metadata function in xattr.c 1669156 - connection re-use does not work for SCP and SFTP 1670252 - CVE-2018-16890 curl: NTLM type-2 heap out-of-bounds buffer read 1670254 - CVE-2019-3822 curl: NTLMv2 type-3 header stack buffer overflow 1670256 - CVE-2019-3823 curl: SMTP end-of-response out-of-bounds read 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: curl-7.61.1-11.el8.src.rpm aarch64: curl-7.61.1-11.el8.aarch64.rpm curl-debuginfo-7.61.1-11.el8.aarch64.rpm curl-debugsource-7.61.1-11.el8.aarch64.rpm curl-minimal-debuginfo-7.61.1-11.el8.aarch64.rpm libcurl-7.61.1-11.el8.aarch64.rpm libcurl-debuginfo-7.61.1-11.el8.aarch64.rpm libcurl-devel-7.61.1-11.el8.aarch64.rpm libcurl-minimal-7.61.1-11.el8.aarch64.rpm libcurl-minimal-debuginfo-7.61.1-11.el8.aarch64.rpm ppc64le: curl-7.61.1-11.el8.ppc64le.rpm curl-debuginfo-7.61.1-11.el8.ppc64le.rpm curl-debugsource-7.61.1-11.el8.ppc64le.rpm curl-minimal-debuginfo-7.61.1-11.el8.ppc64le.rpm libcurl-7.61.1-11.el8.ppc64le.rpm libcurl-debuginfo-7.61.1-11.el8.ppc64le.rpm libcurl-devel-7.61.1-11.el8.ppc64le.rpm libcurl-minimal-7.61.1-11.el8.ppc64le.rpm libcurl-minimal-debuginfo-7.61.1-11.el8.ppc64le.rpm s390x: curl-7.61.1-11.el8.s390x.rpm curl-debuginfo-7.61.1-11.el8.s390x.rpm curl-debugsource-7.61.1-11.el8.s390x.rpm curl-minimal-debuginfo-7.61.1-11.el8.s390x.rpm libcurl-7.61.1-11.el8.s390x.rpm libcurl-debuginfo-7.61.1-11.el8.s390x.rpm libcurl-devel-7.61.1-11.el8.s390x.rpm libcurl-minimal-7.61.1-11.el8.s390x.rpm libcurl-minimal-debuginfo-7.61.1-11.el8.s390x.rpm x86_64: curl-7.61.1-11.el8.x86_64.rpm curl-debuginfo-7.61.1-11.el8.i686.rpm curl-debuginfo-7.61.1-11.el8.x86_64.rpm curl-debugsource-7.61.1-11.el8.i686.rpm curl-debugsource-7.61.1-11.el8.x86_64.rpm curl-minimal-debuginfo-7.61.1-11.el8.i686.rpm curl-minimal-debuginfo-7.61.1-11.el8.x86_64.rpm libcurl-7.61.1-11.el8.i686.rpm libcurl-7.61.1-11.el8.x86_64.rpm libcurl-debuginfo-7.61.1-11.el8.i686.rpm libcurl-debuginfo-7.61.1-11.el8.x86_64.rpm libcurl-devel-7.61.1-11.el8.i686.rpm libcurl-devel-7.61.1-11.el8.x86_64.rpm libcurl-minimal-7.61.1-11.el8.i686.rpm libcurl-minimal-7.61.1-11.el8.x86_64.rpm libcurl-minimal-debuginfo-7.61.1-11.el8.i686.rpm libcurl-minimal-debuginfo-7.61.1-11.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-16890 https://access.redhat.com/security/cve/CVE-2018-20483 https://access.redhat.com/security/cve/CVE-2019-3822 https://access.redhat.com/security/cve/CVE-2019-3823 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXcHzVtzjgjWX9erEAQjvzw/+OUU07vnIT/4FS8aZD7Z8yUMYBwGhlMYm jIfVcRL/CuCe64zoTLyPhU3qJGuj84Fdx5ryxWglnimoERd3VXMZ5OZSPz8w738j owx9pN0gVooc5MGykJm9OP27BeXU4ZceWtvX5L2jRPvSzvlTavUfwfQ7rjFuxK1A FfNoJurwBKLowh31BBZjuak6GZ6YBH9kY3vAS5BUZxuijSS8zIsnOvFwgB152p56 tvJN7/Rtwh56msrg/AF/HLCneOs8LH+k3VWs4tucW/cSbzFSJPXeiZyVBCxj60FW jlIcOH8Joo79HVenK8TWw9rpd1QIaNwh84DmVXoKR2GKt4DL8ZFeL5oqHN8A2OkO I5G2DHgaE3sgOkTKiCoUzQrIIfRmwEfqYPw3SGZZhXIVbbWtlQ01xERMIunamXE2 Rfk2zd8M7HB+c2hiRD842wnULCAINY/w6e8J4g6kZQ4tn+eIKTwB7pVUzROMwBNq OKJFm8reEYOtgH3q+xmg13N1jkynTgFlcgLQ1ua+nS8o6fJE/23lgMdJY/oUXgnc szJLxMAySEePZF0QI9f8hedm+D5hGzkRB3KYqkv8OagSW0G2RAxadoLdl5qH5Doq l4gaFPgMIKK9yxnj+8gm7zsZiUNdebj5+c4eU7OZ1s98tzPQ3/W39m/8tNM3ueB0 PK6rxvdCr2I= =8Z+p -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283) * SSL/TLS: CBC padding timing attack (lucky-13) (CVE-2013-0169) * grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen (CVE-2018-18624) * js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358) * npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions (CVE-2019-16769) * kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06) (CVE-2020-7013) * nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598) * npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662) * nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203) * jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) * jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023) * grafana: stored XSS (CVE-2020-11110) * grafana: XSS annotation popup vulnerability (CVE-2020-12052) * grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245) * nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures (CVE-2020-13822) * golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040) * nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) * openshift/console: text injection on error page via crafted url (CVE-2020-10715) * kibana: X-Frame-Option not set by default might lead to clickjacking (CVE-2020-10743) * openshift: restricted SCC allows pods to craft custom network packets (CVE-2020-14336) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution: For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html. Bugs fixed (https://bugzilla.redhat.com/): 907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13) 1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection 1767665 - CVE-2020-10715 openshift/console: text injection on error page via crafted url 1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic 1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1834550 - CVE-2020-10743 kibana: X-Frame-Option not set by default might lead to clickjacking 1845982 - CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser 1848089 - CVE-2020-12052 grafana: XSS annotation popup vulnerability 1848092 - CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions 1848643 - CVE-2020-12245 grafana: XSS via column.title or cellLinkTooltip 1848647 - CVE-2020-13822 nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures 1849044 - CVE-2020-7013 kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06) 1850004 - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution 1850572 - CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function 1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function 1858981 - CVE-2020-14336 openshift: restricted SCC allows pods to craft custom network packets 1861044 - CVE-2020-11110 grafana: stored XSS 1874671 - CVE-2020-14336 ose-machine-config-operator-container: openshift: restricted SCC allows pods to craft custom network packets [openshift-4] 5. ========================================================================== Ubuntu Security Notice USN-3882-1 February 06, 2019 curl vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in curl. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 18.10. (CVE-2018-16890) Wenxiang Qian discovered that curl incorrectly handled certain NTLMv2 authentication messages. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 18.10. (CVE-2019-3822) Brian Carpenter discovered that curl incorrectly handled certain SMTP responses. A remote attacker could possibly use this issue to cause curl to crash, resulting in a denial of service. (CVE-2019-3823) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.10: curl 7.61.0-1ubuntu2.3 libcurl3-gnutls 7.61.0-1ubuntu2.3 libcurl3-nss 7.61.0-1ubuntu2.3 libcurl4 7.61.0-1ubuntu2.3 Ubuntu 18.04 LTS: curl 7.58.0-2ubuntu3.6 libcurl3-gnutls 7.58.0-2ubuntu3.6 libcurl3-nss 7.58.0-2ubuntu3.6 libcurl4 7.58.0-2ubuntu3.6 Ubuntu 16.04 LTS: curl 7.47.0-1ubuntu2.12 libcurl3 7.47.0-1ubuntu2.12 libcurl3-gnutls 7.47.0-1ubuntu2.12 libcurl3-nss 7.47.0-1ubuntu2.12 Ubuntu 14.04 LTS: curl 7.35.0-1ubuntu2.20 libcurl3 7.35.0-1ubuntu2.20 libcurl3-gnutls 7.35.0-1ubuntu2.20 libcurl3-nss 7.35.0-1ubuntu2.20 In general, a standard system update will make all the necessary changes. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/curl-7.64.0-i586-1_slack14.2.txz: Upgraded. This release fixes the following security issues: NTLM type-2 out-of-bounds buffer read. SMTP end-of-response out-of-bounds read. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3822 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3823 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/curl-7.64.0-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/curl-7.64.0-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/curl-7.64.0-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/curl-7.64.0-x86_64-1_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/curl-7.64.0-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/curl-7.64.0-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/curl-7.64.0-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/curl-7.64.0-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.0 package: 94fb3c50acd4f7640ca62ed6d18512c6 curl-7.64.0-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 4c21f7f6b2529badfd6c43c08a43df18 curl-7.64.0-x86_64-1_slack14.0.txz Slackware 14.1 package: e57b9b6125d0ffd54ce56ed9cbc32fb5 curl-7.64.0-i486-1_slack14.1.txz Slackware x86_64 14.1 package: f599f0dca7cf5e1839204ab6a6cdcbb1 curl-7.64.0-x86_64-1_slack14.1.txz Slackware 14.2 package: 357b50273d07ae2deef0958d8f5b5afa curl-7.64.0-i586-1_slack14.2.txz Slackware x86_64 14.2 package: 6c259df05c840f74dc4b3a84c6d4f212 curl-7.64.0-x86_64-1_slack14.2.txz Slackware -current package: 9fa3ea811b5c4cca6382d7e18b2845a2 n/curl-7.64.0-i586-1.txz Slackware x86_64 -current package: 869267a25c87036e7c9c909d2f3891c9 n/curl-7.64.0-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg curl-7.64.0-i586-1_slack14.2.txz +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address

Trust: 2.52

sources: NVD: CVE-2019-3822 // JVNDB: JVNDB-2019-001733 // BID: 106950 // VULMON: CVE-2019-3822 // PACKETSTORM: 152034 // PACKETSTORM: 151568 // PACKETSTORM: 155162 // PACKETSTORM: 159727 // PACKETSTORM: 151566 // PACKETSTORM: 151569

AFFECTED PRODUCTS

vendor:oraclemodel:services tools bundlescope:eqversion:19.2

Trust: 1.3

vendor:oraclemodel:secure global desktopscope:eqversion:5.4

Trust: 1.3

vendor:oraclemodel:http serverscope:eqversion:12.2.1.3.0

Trust: 1.3

vendor:oraclemodel:enterprise manager ops centerscope:eqversion:12.3.3

Trust: 1.3

vendor:oraclemodel:communications operations monitorscope:eqversion:4.0

Trust: 1.3

vendor:oraclemodel:communications operations monitorscope:eqversion:3.4

Trust: 1.3

vendor:netappmodel:active iq unified managerscope:gteversion:9.5

Trust: 1.0

vendor:haxxmodel:libcurlscope:ltversion:7.64.0

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:18.04

Trust: 1.0

vendor:oraclemodel:mysql serverscope:lteversion:5.7.26

Trust: 1.0

vendor:haxxmodel:libcurlscope:gteversion:7.36.0

Trust: 1.0

vendor:oraclemodel:mysql serverscope:gteversion:5.7.27

Trust: 1.0

vendor:oraclemodel:enterprise manager ops centerscope:eqversion:12.4.0

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:16.04

Trust: 1.0

vendor:oraclemodel:mysql serverscope:lteversion:8.0.15

Trust: 1.0

vendor:netappmodel:active iq unified managerscope:gteversion:7.3

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:14.04

Trust: 1.0

vendor:netappmodel:snapcenterscope:eqversion: -

Trust: 1.0

vendor:redhatmodel:enterprise linuxscope:eqversion:8.0

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:18.10

Trust: 1.0

vendor:netappmodel:clustered data ontapscope:eqversion:*

Trust: 1.0

vendor:netappmodel:oncommand insightscope:eqversion: -

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:netappmodel:oncommand workflow automationscope:eqversion: -

Trust: 1.0

vendor:siemensmodel:sinema remote connect clientscope:lteversion:2.0

Trust: 1.0

vendor:canonicalmodel:ubuntuscope: - version: -

Trust: 0.8

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:haxxmodel:libcurlscope:ltversion:7.36.0 thats all 7.64.0

Trust: 0.8

vendor:netappmodel:clustered data ontapscope: - version: -

Trust: 0.8

vendor:ubuntumodel:linuxscope:eqversion:18.10

Trust: 0.3

vendor:ubuntumodel:linux ltsscope:eqversion:18.04

Trust: 0.3

vendor:ubuntumodel:linux ltsscope:eqversion:16.04

Trust: 0.3

vendor:ubuntumodel:linux ltsscope:eqversion:14.04

Trust: 0.3

vendor:siemensmodel:sinema remote connect clientscope:eqversion:1.0

Trust: 0.3

vendor:redhatmodel:software collections for rhelscope:eqversion:0

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:8.0.15

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:8.0.14

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:8.0.13

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:8.0.12

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:8.0.11

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7.26

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7.25

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7.24

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7.23

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7.22

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7.21

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7.20

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7.19

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7.18

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7.17

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7.16

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7.15

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7.12

Trust: 0.3

vendor:oraclemodel:mysql serverscope:eqversion:5.7

Trust: 0.3

vendor:oraclemodel:enterprise manager ops centerscope:eqversion:12.4

Trust: 0.3

vendor:netappmodel:clustered data ontapscope:eqversion:0

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.63

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.62

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.61.1

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.61

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.60

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.59

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.58

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.57

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.56.1

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.56

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.55.1

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.54.1

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.54

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.53.1

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.53

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.52

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.51

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.50.3

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.50.2

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.50.1

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.50

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.47

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.46

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.43

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.42.1

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.36

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.55.0

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.52.1

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.49.0

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.48.0

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.42.0

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.41.0

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.40.0

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.39

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.38.0

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.37.1

Trust: 0.3

vendor:haxxmodel:libcurlscope:eqversion:7.37.0

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.62

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.61.1

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.61

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.60

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.59

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.58

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.56.1

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.56

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.55.1

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.55

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.54.1

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.54

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.53.1

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.53

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.52

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.51

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.50.3

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.50

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.47

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.46

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.45

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.43

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.42.1

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.36

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.63.0

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.57.0

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.52.1

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.50.1

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.49.0

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.48.0

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.42.0

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.41.0

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.40.0

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.39.0

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.38.0

Trust: 0.3

vendor:haxxmodel:curlscope:eqversion:7.37.1

Trust: 0.3

vendor:siemensmodel:sinema remote connect client hf1scope:neversion:2.0

Trust: 0.3

vendor:haxxmodel:libcurlscope:neversion:7.64

Trust: 0.3

vendor:haxxmodel:curlscope:neversion:7.64.0

Trust: 0.3

sources: BID: 106950 // JVNDB: JVNDB-2019-001733 // NVD: CVE-2019-3822

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-3822
value: CRITICAL

Trust: 1.0

secalert@redhat.com: CVE-2019-3822
value: HIGH

Trust: 1.0

NVD: CVE-2019-3822
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201902-124
value: CRITICAL

Trust: 0.6

VULMON: CVE-2019-3822
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-3822
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

nvd@nist.gov: CVE-2019-3822
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

secalert@redhat.com: CVE-2019-3822
baseSeverity: HIGH
baseScore: 7.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: LOW
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 4.2
version: 3.0

Trust: 1.0

NVD: CVE-2019-3822
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULMON: CVE-2019-3822 // JVNDB: JVNDB-2019-001733 // CNNVD: CNNVD-201902-124 // NVD: CVE-2019-3822 // NVD: CVE-2019-3822

PROBLEMTYPE DATA

problemtype:CWE-121

Trust: 1.0

problemtype:CWE-787

Trust: 1.0

problemtype:CWE-119

Trust: 0.8

sources: JVNDB: JVNDB-2019-001733 // NVD: CVE-2019-3822

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 151566 // CNNVD: CNNVD-201902-124

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201902-124

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-001733

PATCH

title:DSA-4386url:https://www.debian.org/security/2019/dsa-4386

Trust: 0.8

title:NTAP-20190315-0001url:https://security.netapp.com/advisory/ntap-20190315-0001/

Trust: 0.8

title:NTLMv2 type-3 header stack buffer overflowurl:https://curl.haxx.se/docs/CVE-2019-3822.html

Trust: 0.8

title:USN-3882-1url:https://usn.ubuntu.com/3882-1/

Trust: 0.8

title:Red Hat: Moderate: curl security and bug fix updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20193701 - Security Advisory

Trust: 0.1

title:Red Hat: CVE-2019-3822url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2019-3822

Trust: 0.1

title:Ubuntu Security Notice: curl vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3882-1

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2019-3822

Trust: 0.1

title:Amazon Linux AMI: ALAS-2019-1297url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2019-1297

Trust: 0.1

title:Arch Linux Advisories: [ASA-201902-13] lib32-curl: arbitrary code executionurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201902-13

Trust: 0.1

title:Arch Linux Advisories: [ASA-201902-9] curl: arbitrary code executionurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201902-9

Trust: 0.1

title:Arch Linux Advisories: [ASA-201902-10] libcurl-gnutls: arbitrary code executionurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201902-10

Trust: 0.1

title:Arch Linux Advisories: [ASA-201902-12] lib32-libcurl-compat: arbitrary code executionurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201902-12

Trust: 0.1

title:Arch Linux Advisories: [ASA-201902-11] lib32-libcurl-gnutls: arbitrary code executionurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201902-11

Trust: 0.1

title:IBM: IBM Security Bulletin: IBM Event Streams is affected by cURL vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=22decc09aeaa3dba577a38ac2ead2bac

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - October 2019url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=1258fbf11199f28879a6fcc9f39902e9

Trust: 0.1

title:Siemens Security Advisories: Siemens Security Advisoryurl:https://vulmon.com/vendoradvisory?qidtp=siemens_security_advisories&qid=8a056bd2177d12192b11798b7ac3e013

Trust: 0.1

title:Amazon Linux 2: ALAS2-2019-1162url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2019-1162

Trust: 0.1

title:IBM: IBM Security Bulletin: BigFix Platform 9.5.x / 9.2.x affected by multiple vulnerabilities (CVE-2018-16839, CVE-2018-16842, CVE-2018-16840, CVE-2019-3823, CVE-2019-3822, CVE-2018-16890, CVE-2019-4011, CVE-2018-2005, CVE-2019-4058, CVE-2019-1559)url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=0b05dc856c1be71db871bcea94f6fa8d

Trust: 0.1

title:Red Hat: Moderate: OpenShift Container Platform 4.6.1 image security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20204298 - Security Advisory

Trust: 0.1

title:fedsummit_19url:https://github.com/clemenko/fedsummit_19

Trust: 0.1

title:dc19_supply_chainurl:https://github.com/clemenko/dc19_supply_chain

Trust: 0.1

title:dc19_supply_chainurl:https://github.com/bbrungi/dc19_supply_chain

Trust: 0.1

title:BlackHat2019url:https://github.com/saiyuki1919/BlackHat2019

Trust: 0.1

title:TrivyWeburl:https://github.com/KorayAgaya/TrivyWeb

Trust: 0.1

title:cveurl:https://github.com/michwqy/cve

Trust: 0.1

title:github_aquasecurity_trivyurl:https://github.com/back8/github_aquasecurity_trivy

Trust: 0.1

title:trivyurl:https://github.com/simiyo/trivy

Trust: 0.1

title:securityurl:https://github.com/umahari/security

Trust: 0.1

title: - url:https://github.com/Mohzeela/external-secret

Trust: 0.1

title:Vulnerability-Scanner-for-Containersurl:https://github.com/t31m0/Vulnerability-Scanner-for-Containers

Trust: 0.1

title:trivyurl:https://github.com/aquasecurity/trivy

Trust: 0.1

title:trivyurl:https://github.com/knqyf263/trivy

Trust: 0.1

title:trivyurl:https://github.com/siddharthraopotukuchi/trivy

Trust: 0.1

title:Threatposturl:https://threatpost.com/oracle-squashes-53-critical-bugs-in-april-security-update/143845/

Trust: 0.1

sources: VULMON: CVE-2019-3822 // JVNDB: JVNDB-2019-001733

EXTERNAL IDS

db:NVDid:CVE-2019-3822

Trust: 3.4

db:BIDid:106950

Trust: 2.0

db:SIEMENSid:SSA-436177

Trust: 2.0

db:ICS CERTid:ICSA-19-099-04

Trust: 1.8

db:JVNDBid:JVNDB-2019-001733

Trust: 0.8

db:PACKETSTORMid:152034

Trust: 0.7

db:AUSCERTid:ESB-2019.1084

Trust: 0.6

db:AUSCERTid:ESB-2020.3700

Trust: 0.6

db:AUSCERTid:ESB-2019.0381.3

Trust: 0.6

db:CNNVDid:CNNVD-201902-124

Trust: 0.6

db:VULMONid:CVE-2019-3822

Trust: 0.1

db:PACKETSTORMid:151568

Trust: 0.1

db:PACKETSTORMid:155162

Trust: 0.1

db:PACKETSTORMid:159727

Trust: 0.1

db:PACKETSTORMid:151566

Trust: 0.1

db:PACKETSTORMid:151569

Trust: 0.1

sources: VULMON: CVE-2019-3822 // BID: 106950 // JVNDB: JVNDB-2019-001733 // PACKETSTORM: 152034 // PACKETSTORM: 151568 // PACKETSTORM: 155162 // PACKETSTORM: 159727 // PACKETSTORM: 151566 // PACKETSTORM: 151569 // CNNVD: CNNVD-201902-124 // NVD: CVE-2019-3822

REFERENCES

url:http://www.securityfocus.com/bid/106950

Trust: 2.9

url:https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-3822

Trust: 2.8

url:https://access.redhat.com/errata/rhsa-2019:3701

Trust: 2.4

url:https://usn.ubuntu.com/3882-1/

Trust: 2.1

url:https://curl.haxx.se/docs/cve-2019-3822.html

Trust: 2.0

url:https://www.debian.org/security/2019/dsa-4386

Trust: 2.0

url:https://security.netapp.com/advisory/ntap-20190315-0001/

Trust: 2.0

url:https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf

Trust: 2.0

url:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Trust: 2.0

url:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Trust: 2.0

url:https://nvd.nist.gov/vuln/detail/cve-2019-3822

Trust: 1.9

url:https://security.gentoo.org/glsa/201903-03

Trust: 1.8

url:https://security.netapp.com/advisory/ntap-20190719-0004/

Trust: 1.7

url:https://support.f5.com/csp/article/k84141449

Trust: 1.1

url:https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3cdevnull.infra.apache.org%3e

Trust: 1.1

url:https://support.f5.com/csp/article/k84141449?utm_source=f5support&amp%3butm_medium=rss

Trust: 1.1

url:https://access.redhat.com/security/cve/cve-2019-3822

Trust: 1.1

url:https://access.redhat.com/security/cve/cve-2019-3823

Trust: 1.1

url:https://ics-cert.us-cert.gov/advisories/icsa-19-099-04

Trust: 1.0

url:http://curl.haxx.se/

Trust: 0.9

url:https://curl.haxx.se/download.html

Trust: 0.9

url:https://github.com/curl/curl/commit/86724581b6c

Trust: 0.9

url:https://github.com/curl/curl/commit/39df4073

Trust: 0.9

url:https://github.com/curl/curl/commit/2766262a68

Trust: 0.9

url:https://github.com/curl/curl/commit/50c94842

Trust: 0.9

url:https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-3823

Trust: 0.9

url:https://curl.haxx.se/docs/cve-2019-3823.html

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3822

Trust: 0.9

url:https://www.us-cert.gov/ics/advisories/icsa-19-099-04

Trust: 0.8

url:https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3cdevnull.infra.apache.org%3e

Trust: 0.6

url:https://support.f5.com/csp/article/k84141449?utm_source=f5support&utm_medium=rss

Trust: 0.6

url:http://www.ibm.com/support/docview.wss

Trust: 0.6

url:https://www.auscert.org.au/bulletins/75218

Trust: 0.6

url:https://us-cert.cisa.gov/ics/advisories/icsa-19-099-04

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.3700/

Trust: 0.6

url:https://packetstormsecurity.com/files/152034/gentoo-linux-security-advisory-201903-03.html

Trust: 0.6

url:https://www-01.ibm.com/support/docview.wss?uid=ibm10876554

Trust: 0.6

url:https://www.auscert.org.au/bulletins/78194

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2019-3823

Trust: 0.5

url:https://nvd.nist.gov/vuln/detail/cve-2018-16890

Trust: 0.5

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2018-20483

Trust: 0.2

url:https://bugzilla.redhat.com/):

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2018-20483

Trust: 0.2

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2018-16890

Trust: 0.2

url:https://access.redhat.com/security/team/contact/

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/787.html

Trust: 0.1

url:https://github.com/clemenko/fedsummit_19

Trust: 0.1

url:http://tools.cisco.com/security/center/viewalert.x?alertid=60802

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-14618

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-16842

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-16840

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-16839

Trust: 0.1

url:https://security-tracker.debian.org/tracker/curl

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.1_release_notes/

Trust: 0.1

url:https://access.redhat.com/security/team/key/

Trust: 0.1

url:https://access.redhat.com/articles/11258

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8768

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-20852

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8535

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-10743

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-15718

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-20657

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-19126

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-1712

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8518

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-12448

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8611

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-8203

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-6251

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8676

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-1549

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-9251

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-17451

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-20060

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-19519

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-11070

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-7150

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-1547

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-7664

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8607

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-12052

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-5482

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-14973

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8623

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-15366

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8594

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8690

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-20060

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-13752

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8601

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-11324

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-19925

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-7146

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-1010204

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-7013

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-11324

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-11236

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8524

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2016-10739

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-18751

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-5481

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8536

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8686

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8671

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-12447

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8544

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-12049

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8571

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-19519

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-15719

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2013-0169

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8677

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-5436

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-18624

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8595

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-13753

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8558

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-11459

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-11358

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-12447

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8679

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-12795

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-20657

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-5094

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-3844

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-6454

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-20852

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-12450

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-14336

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8619

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:4298

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8622

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-1010180

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-7598

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8681

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-3825

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8523

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-18074

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-0169

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-6237

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-6706

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-20337

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8673

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8559

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8687

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-13822

Trust: 0.1

url:https://docs.openshift.com/container-platform/4.6/updating/updating-cluster

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-19923

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-16769

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8672

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-11023

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-11358

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-14822

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-14404

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8608

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-7662

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8615

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-12449

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-7665

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8666

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8457

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-5953

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8689

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-15847

Trust: 0.1

url:https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-14498

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8735

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-11236

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-19924

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8586

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-12245

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-14404

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8726

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-1010204

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8596

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8696

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8610

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-18408

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-13636

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-1563

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-11070

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-14498

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-7149

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-12450

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-16056

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2016-10739

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-20337

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-18074

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-11110

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8584

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-19959

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8675

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8563

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-10531

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-13232

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-3843

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-14040

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-1010180

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-12449

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-10715

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8609

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-9283

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8587

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-18751

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8506

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-18624

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-11022

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8583

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2018-9251

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-12448

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2020-11008

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-11459

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-8597

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.12

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/curl/7.61.0-1ubuntu2.3

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.6

Trust: 0.1

url:https://launchpad.net/ubuntu/+source/curl/7.35.0-1ubuntu2.20

Trust: 0.1

url:https://usn.ubuntu.com/usn/usn-3882-1

Trust: 0.1

url:http://slackware.com

Trust: 0.1

url:http://osuosl.org)

Trust: 0.1

url:http://slackware.com/gpg-key

Trust: 0.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3823

Trust: 0.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-16890

Trust: 0.1

sources: VULMON: CVE-2019-3822 // BID: 106950 // JVNDB: JVNDB-2019-001733 // PACKETSTORM: 152034 // PACKETSTORM: 151568 // PACKETSTORM: 155162 // PACKETSTORM: 159727 // PACKETSTORM: 151566 // PACKETSTORM: 151569 // CNNVD: CNNVD-201902-124 // NVD: CVE-2019-3822

CREDITS

Siemens ProductCERT reported these vulnerabilities to NCCIC.,Brian Carpenter, Geeknik Labs and Wenxiang Qian from Tencent Blade Team.,Gentoo

Trust: 0.6

sources: CNNVD: CNNVD-201902-124

SOURCES

db:VULMONid:CVE-2019-3822
db:BIDid:106950
db:JVNDBid:JVNDB-2019-001733
db:PACKETSTORMid:152034
db:PACKETSTORMid:151568
db:PACKETSTORMid:155162
db:PACKETSTORMid:159727
db:PACKETSTORMid:151566
db:PACKETSTORMid:151569
db:CNNVDid:CNNVD-201902-124
db:NVDid:CVE-2019-3822

LAST UPDATE DATE

2024-11-23T20:19:19.449000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2019-3822date:2023-11-07T00:00:00
db:BIDid:106950date:2019-07-17T06:00:00
db:JVNDBid:JVNDB-2019-001733date:2019-07-08T00:00:00
db:CNNVDid:CNNVD-201902-124date:2021-03-10T00:00:00
db:NVDid:CVE-2019-3822date:2024-11-21T04:42:36.923

SOURCES RELEASE DATE

db:VULMONid:CVE-2019-3822date:2019-02-06T00:00:00
db:BIDid:106950date:2019-02-06T00:00:00
db:JVNDBid:JVNDB-2019-001733date:2019-03-25T00:00:00
db:PACKETSTORMid:152034date:2019-03-11T18:48:31
db:PACKETSTORMid:151568date:2019-02-07T16:32:00
db:PACKETSTORMid:155162date:2019-11-06T15:57:33
db:PACKETSTORMid:159727date:2020-10-27T16:59:02
db:PACKETSTORMid:151566date:2019-02-06T22:35:20
db:PACKETSTORMid:151569date:2019-02-07T16:32:06
db:CNNVDid:CNNVD-201902-124date:2019-02-06T00:00:00
db:NVDid:CVE-2019-3822date:2019-02-06T20:29:00.353