Bugzilla – Bug 1005634
VUL-1: CVE-2016-8616: curl: case insensitive password comparison
Last modified: 2019-05-29 07:20:18 UTC
case insensitive password comparison ==================================== Project cURL Security Advisory, November 2, 2016 - [Permalink](https://curl.haxx.se/docs/adv_20161102B.html) VULNERABILITY ------------- When re-using a connection, curl was doing case insensitive comparisons of user name and password with the existing connections. This means that if an unused connection with proper credentials exists for a protocol that has connection-scoped credentials, an attacker can cause that connection to be reused if s/he knows the case-insensitive version of the correct password. We are not aware of any exploit of this flaw. INFO ---- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-XXXX to this issue. AFFECTED VERSIONS ----------------- This flaw exists in the following curl versions. - Affected versions: curl 7.7 to and including 7.50.3 - Not affected versions: curl < 7.7 and curl >= 7.51.0 libcurl is used by many applications, but not always advertised as such! THE SOLUTION ------------ In version 7.51.0, these functions will deny negative string lengths from being used. A [patch for CVE-2016-XXXX](https://curl.haxx.se/s3c/B.patch) is available. RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 7.51.0 B - Apply the patch to your version and rebuild TIME LINE --------- It was first reported to the curl project on September 23 by Cure53. We contacted distros@openwall on October 19. curl 7.51.0 was released on November 2 2016, coordinated with the publication of this advisory. CREDITS ------- This vulnerability was found during a Secure Open Source audit performed by Cure53.
From: Daniel Stenberg We intend to publish the advisories, the patches and announce the new release (7.51.0) with all of these problems fixed on November 2nd. CRD: 2016-11-02
bugbot adjusting priority
SUSE-SU-2016:2699-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760 CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): curl-7.37.0-31.1 SUSE Linux Enterprise Server 12-SP1 (src): curl-7.37.0-31.1 SUSE Linux Enterprise Desktop 12-SP1 (src): curl-7.37.0-31.1
SUSE-SU-2016:2700-1: An update that fixes 13 vulnerabilities is now available. Category: security (important) Bug References: 1005633,1005634,1005635,1005637,1005638,1005642,1005645,1005646,997420,998760 CVE References: CVE-2016-5420,CVE-2016-7141,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Sources used: SUSE Studio Onsite 1.3 (src): curl-7.19.7-1.20.47.2
SUSE-SU-2016:2714-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1005633,1005634,1005635,1005637,1005638,1005642,1005645,1005646,998760 CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): curl-7.19.7-1.64.1 SUSE Linux Enterprise Server 11-SP4 (src): curl-7.19.7-1.64.1 SUSE Linux Enterprise Server 11-SECURITY (src): curl-openssl1-7.19.7-1.64.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): curl-7.19.7-1.64.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-11-18. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63187
openSUSE-SU-2016:2768-1: An update that fixes 11 vulnerabilities is now available. Category: security (important) Bug References: 1005633,1005634,1005635,1005637,1005638,1005640,1005642,1005643,1005645,1005646,998760 CVE References: CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Sources used: openSUSE Leap 42.1 (src): curl-7.37.0-16.1
released