Vulnerability CVE-2015-3144: Information

Description

The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80."

Severity: CRITICAL (9.0)

Fixed packages

References to Advisories, Solutions, and Tools

1. Affected configurations:

   1. Configuration 1

      cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*

      End including

      2.3.20

      ---

      cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*

      End including

      3.0.22

      ---

      Configuration 2

      cpe:2.3:a:haxx:curl:7.40.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:haxx:curl:7.38.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:haxx:curl:7.41.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:haxx:curl:7.37.1:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:haxx:curl:7.37.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:haxx:curl:7.39.0:*:*:*:*:*:*:*

      ---

      Configuration 3

      cpe:2.3:a:haxx:libcurl:7.37.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:haxx:libcurl:7.40.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:haxx:libcurl:7.41.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:haxx:libcurl:7.38.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:haxx:libcurl:7.37.1:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:haxx:libcurl:7.39:*:*:*:*:*:*:*

      ---

      Configuration 4

      cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*

      ---

      cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

      ---

      cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*

      ---