CVE-2014-3707
A flaw was found in the way the libcurl library performed the duplication of connection handles. If an application set the CURLOPT_COPYPOSTFIELDS option for a handle, using the handle's duplicate could cause the application to crash or disclose a portion of its memory.
Find out more about CVE-2014-3707 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue does not affect the versions of curl as shipped with Red Hat Enterprise Linux 5.
Note that there are no applications provided with Red Hat Enterprise Linux that use the vulnerable CURLOPT_COPYPOSTFIELDS option, except PHP which could only be affected if used in an extremely unlikely scenario or via the script's author.
CVSS v2 metrics
| Base Score | 4 |
|---|---|
| Base Metrics | AV:N/AC:H/Au:N/C:P/I:N/A:P |
| Access Vector | Network |
| Access Complexity | High |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 7 (curl) | RHSA-2015:2159 | 2015-11-19 |
| Red Hat Enterprise Linux 6 (curl) | RHSA-2015:1254 | 2015-07-20 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 5 | curl | Not affected |
| RHEV Manager 3 | mingw-virt-viewer | Fix deferred |