The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability note CVE-2019-3822

libcurl: buffer overflow via NTLM Type-3

Synthesis of the vulnerability

An attacker can trigger a buffer overflow via NTLM Type-3 of libcurl, in order to trigger a denial of service, and possibly to run code.
Severity of this computer vulnerability: 3/4.
Creation date: 06/02/2019.
Références of this announce: bulletinjan2019, bulletinoct2019, cpuapr2019, cpujul2019, CVE-2019-3822, DLA-1672-1, DSA-4386-1, FEDORA-2019-43489941ff, openSUSE-SU-2019:0173-1, openSUSE-SU-2019:0174-1, RHSA-2019:3701-01, SSA:2019-037-01, STORM-2019-002, SUSE-SU-2019:0248-1, SUSE-SU-2019:0249-1, SUSE-SU-2019:0249-2, SUSE-SU-2019:0339-1, USN-3882-1, VIGILANCE-VUL-28444.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can trigger a buffer overflow via NTLM Type-3 of libcurl, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

This cybersecurity vulnerability impacts software or systems such as SDS, SES, SNS, curl, Debian, Fedora, MariaDB ~ precise, MySQL Community, MySQL Enterprise, openSUSE Leap, Oracle Communications, Oracle Fusion Middleware, Solaris, Tuxedo, WebLogic, Percona Server, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this vulnerability is important.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this weakness alert.

Solutions for this threat

libcurl: version 7.64.0.
The version 7.64.0 is fixed:
  https://curl.haxx.se/

libcurl: patch for NTLM Type-3.
A patch is available:
  https://github.com/curl/curl/commit/50c9484278c63b958655a717844f0721263939cc

Cloud Foundry: fixed versions for curl.
Fixed versions are indicated in information sources.

Debian 8: new curl packages.
New packages are available:
  Debian 8: curl 7.38.0-4+deb8u14

Debian 9: new curl packages.
New packages are available:
  Debian 9: curl 7.52.1-5+deb9u9

Fedora 29: new curl packages.
New packages are available:
  Fedora 29: curl 7.61.1-8.fc29

MariaDB: version 10.1.41.
The version 10.1.41 is fixed:
  https://downloads.mariadb.org/mariadb/10.1.41

MariaDB: version 10.2.26.
The version 10.2.26 is fixed:
  https://downloads.mariadb.org/mariadb/10.2.26

MariaDB: version 10.3.17.
The version 10.3.17 is fixed:
  https://downloads.mariadb.org/mariadb/10.3.17

MariaDB: version 10.4.7.
The version 10.4.7 is fixed:
  https://downloads.mariadb.org/mariadb/10.4.7

MariaDB: version 5.5.65.
The version 5.5.65 is fixed:
  https://downloads.mariadb.org/mariadb/5.5.65

MySQL: version 5.6.45.
The version 5.6.45 is fixed:
  https://support.oracle.com/rs?type=doc&id=2559865.1
  https://dev.mysql.com/downloads/
  https://www.mysql.com/fr/

MySQL: version 5.7.27.
The version 5.7.27 is fixed:
  https://support.oracle.com/rs?type=doc&id=2559865.1
  https://dev.mysql.com/downloads/
  https://www.mysql.com/fr/

MySQL: version 8.0.17.
The version 8.0.17 is fixed:
  https://support.oracle.com/rs?type=doc&id=2559865.1
  https://dev.mysql.com/downloads/
  https://www.mysql.com/fr/

openSUSE Leap: new curl packages.
New packages are available:
  openSUSE Leap 42.3: curl 7.37.0-45.1
  openSUSE Leap 15.0: curl 7.60.0-lp150.2.18.1

Oracle Communications: CPU of April 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2518758.1
  https://support.oracle.com/rs?type=doc&id=2518763.1
  https://support.oracle.com/rs?type=doc&id=2522151.1
  https://support.oracle.com/rs?type=doc&id=2519787.1
  https://support.oracle.com/rs?type=doc&id=2522126.1
  https://support.oracle.com/rs?type=doc&id=2522123.1
  https://support.oracle.com/rs?type=doc&id=2518753.1
  https://support.oracle.com/rs?type=doc&id=2522121.1
  https://support.oracle.com/rs?type=doc&id=2528862.1
  https://support.oracle.com/rs?type=doc&id=2518754.1

Oracle Fusion Middleware: CPU of April 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2498664.1

Oracle Solaris: patch for third party software of January 2019 v3.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Oracle Solaris: patch for third party software of October 2019 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

RHEL 8: new curl packages.
New packages are available:
  RHEL 8: curl 7.61.1-11.el8

Slackware: new curl packages.
New packages are available:
  Slackware 14.0: curl 7.64.0-*-1_slack14.0
  Slackware 14.1: curl 7.64.0-*-1_slack14.1
  Slackware 14.2: curl 7.64.0-*-1_slack14.2

Stormshield: solution for curl.
The solution is indicated in information sources.

SUSE LE 12: new curl packages.
New packages are available:
  SUSE LE 12 RTM: curl 7.37.0-37.34.1
  SUSE LE 12 SP1: curl 7.37.0-37.34.1
  SUSE LE 12 SP2: curl 7.37.0-37.34.1
  SUSE LE 12 SP3: curl 7.37.0-37.34.1

SUSE LE 12 SP4: new curl packages.
New packages are available:
  SUSE LE 12 SP4: curl 7.60.0-4.3.1

SUSE LE 15: new curl packages.
New packages are available:
  SUSE LE 15 RTM: curl 7.60.0-3.17.1

Ubuntu: new curl packages.
New packages are available:
  Ubuntu 18.10: curl 7.61.0-1ubuntu2.3
  Ubuntu 18.04 LTS: curl 7.58.0-2ubuntu3.6
  Ubuntu 16.04 LTS: curl 7.47.0-1ubuntu2.12
  Ubuntu 14.04 LTS: curl 7.35.0-1ubuntu2.20

Wind River Linux: solution (21/05/2019).
The solution is indicated in information sources.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a network vulnerability alert. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.