http://rhn.redhat.com/errata/RHSA-2017-0847.html

http://www.securityfocus.com/bid/97187

https://bugzilla.redhat.com/show_bug.cgi?id=1422464

It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server.

curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.

Red Hat, Inc. AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Red Hat, Inc. CWE-287

https://access.redhat.com/errata/RHSA-2017:0847 [No Types Assigned]

https://access.redhat.com/security/cve/CVE-2017-2628 [No Types Assigned]

curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-53, did not correctly backport the fix for CVE-2015-3148 because it did not reflect the fact that the HAVE_GSSAPI define was meanwhile substituted by USE_HTTP_NEGOTIATE. This issue was introduced in RHEL 6.7 and affects RHEL 6 curl only.

It was found that the fix for CVE-2015-3148 in curl was incomplete. An application using libcurl with HTTP Negotiate authentication could incorrectly re-use credentials for subsequent requests to the same server.

Red Hat, Inc. AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Red Hat, Inc. CWE-287

https://access.redhat.com/errata/RHSA-2017:0847 [No Types Assigned]

https://access.redhat.com/security/cve/CVE-2017-2628 [No Types Assigned]

CWE-287 / Assessment performed prior to CVMAP efforts

Red Hat, Inc. CWE-287

CWE-284

NVD-CWE-noinfo

AND
     OR
          *cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* versions from (including) 7.10.6 up to (including) 7.41.0
     OR
          cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

AND
     OR
          *cpe:2.3:a:haxx:curl:7.19.7:*:*:*:*:*:*:*
     OR
          cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

CWE-284

AND
     OR
          *cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* versions from (including) 7.10.6 up to (including) 7.41.0
     OR
          cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
          cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

http://rhn.redhat.com/errata/RHSA-2017-0847.html No Types Assigned

http://rhn.redhat.com/errata/RHSA-2017-0847.html Third Party Advisory

http://www.securityfocus.com/bid/97187 No Types Assigned

http://www.securityfocus.com/bid/97187 Third Party Advisory, VDB Entry

https://bugzilla.redhat.com/show_bug.cgi?id=1422464 No Types Assigned

https://bugzilla.redhat.com/show_bug.cgi?id=1422464 Issue Tracking

http://rhn.redhat.com/errata/RHSA-2017-0847.html [No Types Assigned]

http://www.securityfocus.com/bid/97187 [No Types Assigned]