-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT Security Bulletin
Multiple vulnerabilities have been identified in cURL
18 June 2015
AusCERT Security Bulletin Summary
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
CVE Names: CVE-2015-3237 CVE-2015-3236
Member content until: Saturday, July 18 2015
Multiple vulnerabilities have been identified in cURL versions
between 7.40.0 inclusive and 7.43.0. 
The following details have been provided regarding the
"libcurl can wrongly send HTTP credentials when re-using
libcurl allows applications to set credentials for the upcoming
transfer with HTTP Basic authentication, like with CURLOPT_USERPWD
for example. Name and password. Just like all other libcurl options
the credentials are sticky and are kept associated with the "handle"
until something is made to change the situation.
Further, libcurl offers a curl_easy_reset() function that resets a
handle back to its pristine state in terms of all settable options.
A reset is of course also supposed to clear the credentials. A reset
is typically used to clear up the handle and prepare it for a new,
possibly unrelated, transfer.
Within such a handle, libcurl can also store a set of previous
connections in case a second transfer is requested to a host name
for which an existing connection is already kept alive.
With this flaw present, using the handle even after a reset would
make libcurl accidentally use those credentials in a subseqent
request if done to the same host name and connection as was
An example case would be first requesting a password protected
resource from one section of a web site, and then do a second
request of a public resource from a completely different part of the
site without authentication. This flaw would then inadvertently leak
the credentials in the second request." 
"libcurl can get tricked by a malicious SMB server to send off data
it did not intend to.
In libcurl's state machine function handling the SMB protocol
(smb_request_state()), two length and offset values are extracted
from data that has arrived over the network, and those values are
subsequently used to figure out what data range to send back.
The values are used and trusted without boundary checks and are just
assumed to be valid. This allows carefully handicrafted packages to
trick libcurl into responding and sending off data that was not
intended. Or just crash if the values cause libcurl to access
invalid memory." 
Users are advised to upgrade cURL to version 7.43.0. [1-3]
 cURL -- Multiple Vulnerability
 lingering HTTP credentials in connection re-use
 SMB send off unrelated memory contents
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----