CVE-2015-3148
It was discovered that libcurl could incorrectly reuse Negotiate authenticated HTTP connections for subsequent requests. If an application using libcurl established a Negotiate authenticated HTTP connection to a server and sent subsequent requests with different credentials, the connection could be re-used with the initial set of credentials instead of using the new ones.
Find out more about CVE-2015-3148 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue affects the version of curl package as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This issue is not planned to be addressed in a future update for Red Hat Enterprise Linux 5.
CVSS v2 metrics
| Base Score | 4 |
|---|---|
| Base Metrics | AV:N/AC:H/Au:N/C:P/I:P/A:N |
| Access Vector | Network |
| Access Complexity | High |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 7 (curl) | RHSA-2015:2159 | 2015-11-19 |
| Red Hat Enterprise Linux 6 (curl) | RHSA-2015:1254 | 2015-07-20 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 5 | curl | Will not fix |
| Red Hat Ceph Storage 1.2 | curl | Will not fix |
| RHEV Manager 3 | mingw-virt-viewer | Fix deferred |