ALAS-2014-322


Amazon Linux AMI Security Advisory: ALAS-2014-322
Advisory Release Date: 2014-09-18 00:20 Pacific
Severity: Medium
References: CVE-2014-0138 

Issue Overview:

The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, which might allow context-dependent attackers to connect as other users via a request, a similar issue to CVE-2014-0015 .


Affected Packages:

curl


Issue Correction:
Run yum update curl to update your system.

New Packages:
i686:
    curl-7.36.0-2.44.amzn1.i686
    libcurl-devel-7.36.0-2.44.amzn1.i686
    curl-debuginfo-7.36.0-2.44.amzn1.i686
    libcurl-7.36.0-2.44.amzn1.i686

src:
    curl-7.36.0-2.44.amzn1.src

x86_64:
    curl-debuginfo-7.36.0-2.44.amzn1.x86_64
    curl-7.36.0-2.44.amzn1.x86_64
    libcurl-7.36.0-2.44.amzn1.x86_64
    libcurl-devel-7.36.0-2.44.amzn1.x86_64