Bugzilla – Bug 895991
VUL-0: CVE-2014-3620: curl: cookies accepted for TLDs
Last modified: 2014-09-24 18:28:58 UTC
via libcurl announcement
Affected versions: from libcurl 7.31 to and including 7.37.1
Not affected versions libcurl < 7.31 and libcurl >= 7.38.0
libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain.
Created attachment 605739 [details]
affected: openSUSE Factory and SLE-12
(In reply to comment #2)
> affected: openSUSE Factory and SLE-12
Also openSUSE 13.1.
This is an autogenerated message for OBS integration:
This bug (895991) was mentioned in
https://build.opensuse.org/request/show/248371 13.1+12.3 / curl
bugbot adjusting priority
openSUSE-SU-2014:1139-1: An update that fixes two vulnerabilities is now available.
Category: security (important)
Bug References: 894575,895991
CVE References: CVE-2014-3613,CVE-2014-3620
openSUSE 13.1 (src): curl-7.32.0-2.27.1
openSUSE 12.3 (src): curl-7.28.1-4.43.1