CVE-2016-8625: Input Validation
First published: Tue Oct 25 2016(Updated: )
curl before version 7.51.0 uses outdated IDNA 2003 standard to handle International Domain Names and this may lead users to potentially and unknowingly issue network transfer requests to the wrong host.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/curl | <7.51.0 | 7.51.0 |
| Curl | <7.51.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/94107
- http://www.securitytracker.com/id/1037192
- https://access.redhat.com/errata/RHSA-2018:2486
- https://access.redhat.com/errata/RHSA-2018:3558
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8625
- https://curl.haxx.se/CVE-2016-8625.patch
- https://curl.haxx.se/docs/adv_20161102K.html
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://security.gentoo.org/glsa/201701-47
- https://www.tenable.com/security/tns-2016-21
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1213820&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1213820&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1390894
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1390895
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1390896
- http://pkgs.fedoraproject.org/cgit/rpms/curl.git/commit/?id=c8e19229
- https://curl.haxx.se/mail/lib-2016-11/0033.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1388392#c4
- http://seclists.org/oss-sec/2016/q4/333
- https://bugzilla.redhat.com/show_bug.cgi?id=1388392
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2016-8625?
CVE-2016-8625 has a medium severity level due to its potential to redirect network requests to incorrect hosts.
How do I fix CVE-2016-8625?
To fix CVE-2016-8625, upgrade curl to version 7.51.0 or higher.
What versions of curl are affected by CVE-2016-8625?
CVE-2016-8625 affects curl versions before 7.51.0.
Can CVE-2016-8625 lead to data breaches?
Yes, CVE-2016-8625 could potentially lead to data breaches by allowing users to unknowingly connect to malicious hosts.
Is libidn related to CVE-2016-8625?
Yes, CVE-2016-8625 is related to the use of the outdated libidn library for handling International Domain Names.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-8625
- agent/software-canonical-lookup
- agent/author
- agent/remedy
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/severity
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/haxx
- canonical/curl