CVE-2011-3389
curl - several
EPSS 3.8%
Description
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
How to fix CVE-2011-3389
To remediate CVE-2011-3389, upgrade the affected package to a fixed version below.
- —upgrade to 1:13.7.2~dfsg-1 or later
- —upgrade to 1.49+dfsg-1 or later
- —upgrade to 7.24.0-1 or later
- —upgrade to 7.18.2-8lenny6 or later
- —upgrade to 1:15.b-dfsg-1 or later
- —no fix listed
- —no fix listed
- —upgrade to 1.4.28-2+squeeze1 or later
- —upgrade to 1.4.30-1 or later
- —upgrade to 3.12.8-1+squeeze11 or later
- —upgrade to 3.13.1.with.ckbi.1.88-1 or later
- —upgrade to 6b18-1.8.10-0+squeeze2 or later
- —upgrade to 2.6-2 or later
- —upgrade to 2.7.3~rc1-1 or later
Is CVE-2011-3389 being exploited?
Low — EPSS is 3.8%, meaning exploitation activity has not been observed at scale.
Affected packages (14)
- from 0, < 1:13.7.2~dfsg-1
- from 0, < 1.49+dfsg-1
- from 0, < 7.24.0-1
- from 0, < 7.18.2-8lenny6
- from 0, < 1:15.b-dfsg-1
- from 0
- from 0
- from 0, < 1.4.28-2+squeeze1
- from 0, < 1.4.30-1
- from 0, < 3.12.8-1+squeeze11
- from 0, < 3.13.1.with.ckbi.1.88-1