lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Lfkht-0006lp-1W@titan.mandriva.com>
Date: Sat, 07 Mar 2009 01:48:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:069 ] curl


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:069
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : curl
 Date    : March 6, 2009
 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A security vulnerability has been identified and fixed in curl, which
 could allow remote HTTP servers to (1) trigger arbitrary requests to
 intranet servers, (2) read or overwrite arbitrary files via a redirect
 to a file: URL, or (3) execute arbitrary commands via a redirect to
 an scp: URL (CVE-2009-0037).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 67e1fb1335abc2721ce040ce5ebffcb1  2008.0/i586/curl-7.16.4-2.1mdv2008.0.i586.rpm
 605b696753bcaba3f7bca0080e454a03  2008.0/i586/libcurl4-7.16.4-2.1mdv2008.0.i586.rpm
 0d765f46a89a73af026ffcd5ab0bf375  2008.0/i586/libcurl-devel-7.16.4-2.1mdv2008.0.i586.rpm 
 5b41fd64ace9251752278ab51c485283  2008.0/SRPMS/curl-7.16.4-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 cbb9fafd973426a0a572ed7c0c58a556  2008.0/x86_64/curl-7.16.4-2.1mdv2008.0.x86_64.rpm
 cd427c136cf760b06ec4f8530f0c6d6d  2008.0/x86_64/lib64curl4-7.16.4-2.1mdv2008.0.x86_64.rpm
 5e5fabf4303b50f68ea2ea3ca6c0819e  2008.0/x86_64/lib64curl-devel-7.16.4-2.1mdv2008.0.x86_64.rpm 
 5b41fd64ace9251752278ab51c485283  2008.0/SRPMS/curl-7.16.4-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 372d19020afefeef9d9c076fdbcfe927  2008.1/i586/curl-7.18.0-1.1mdv2008.1.i586.rpm
 8bc3d07c59a1ba1da24ecfe7ecea99ba  2008.1/i586/curl-examples-7.18.0-1.1mdv2008.1.i586.rpm
 691fd3f6beb73d0c273ba22dd8edcf84  2008.1/i586/libcurl4-7.18.0-1.1mdv2008.1.i586.rpm
 f40887d0d032930f77486e9e41360ad6  2008.1/i586/libcurl-devel-7.18.0-1.1mdv2008.1.i586.rpm 
 e9648a229edfb28f7fa366c833517573  2008.1/SRPMS/curl-7.18.0-1.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 708a7b7555fc5de3fa5fe984aa2f5a62  2008.1/x86_64/curl-7.18.0-1.1mdv2008.1.x86_64.rpm
 54c16d007a21e88af81907c60c3846de  2008.1/x86_64/curl-examples-7.18.0-1.1mdv2008.1.x86_64.rpm
 e01f05c2973809b42dbbc86ecd42845b  2008.1/x86_64/lib64curl4-7.18.0-1.1mdv2008.1.x86_64.rpm
 c09950e7fcc52961f95c2aae7a83af39  2008.1/x86_64/lib64curl-devel-7.18.0-1.1mdv2008.1.x86_64.rpm 
 e9648a229edfb28f7fa366c833517573  2008.1/SRPMS/curl-7.18.0-1.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 12514e678a4b04123f00bc422fcf9a3a  2009.0/i586/curl-7.19.0-2.2mdv2009.0.i586.rpm
 4a250c02f083f2729cfe7d23c903a386  2009.0/i586/curl-examples-7.19.0-2.2mdv2009.0.i586.rpm
 f6b909859eec695f753ddba2d716b5a2  2009.0/i586/libcurl4-7.19.0-2.2mdv2009.0.i586.rpm
 e5a953b568c4b8ccebe66a300885747d  2009.0/i586/libcurl-devel-7.19.0-2.2mdv2009.0.i586.rpm 
 ebf22a3c6aa9e18847ec6c3311beb64b  2009.0/SRPMS/curl-7.19.0-2.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 e799091f80c2c44b629fc144b48effa1  2009.0/x86_64/curl-7.19.0-2.2mdv2009.0.x86_64.rpm
 227315c6aefc62e9a1dd7750a3b0d81a  2009.0/x86_64/curl-examples-7.19.0-2.2mdv2009.0.x86_64.rpm
 69c5335dcbe6f08fc67582bb5862ed55  2009.0/x86_64/lib64curl4-7.19.0-2.2mdv2009.0.x86_64.rpm
 f01ec9b830763e5f01d799da687ec605  2009.0/x86_64/lib64curl-devel-7.19.0-2.2mdv2009.0.x86_64.rpm 
 ebf22a3c6aa9e18847ec6c3311beb64b  2009.0/SRPMS/curl-7.19.0-2.2mdv2009.0.src.rpm

 Corporate 3.0:
 4df533f45f46c2891c87dcc108aa05e6  corporate/3.0/i586/curl-7.11.0-2.3.C30mdk.i586.rpm
 bbb9558c954aa6b881db878e3cb5e340  corporate/3.0/i586/libcurl2-7.11.0-2.3.C30mdk.i586.rpm
 3373382bebf28906bcb2c8a00e129ce0  corporate/3.0/i586/libcurl2-devel-7.11.0-2.3.C30mdk.i586.rpm 
 45d58f4c743fd8cd0b44836ade158c85  corporate/3.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 ca7ddd09a8a21b18a8a7ab32ab49516c  corporate/3.0/x86_64/curl-7.11.0-2.3.C30mdk.x86_64.rpm
 3323f2165b8f0df55263222ca8bf1f0a  corporate/3.0/x86_64/lib64curl2-7.11.0-2.3.C30mdk.x86_64.rpm
 3ea5fa46f598f2008296781c5b613e7f  corporate/3.0/x86_64/lib64curl2-devel-7.11.0-2.3.C30mdk.x86_64.rpm 
 45d58f4c743fd8cd0b44836ade158c85  corporate/3.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm

 Corporate 4.0:
 17241516d56baf7ba941065eed496ff5  corporate/4.0/i586/curl-7.14.0-2.3.20060mdk.i586.rpm
 9fbef738cadfc9158b3eec6cfaf66507  corporate/4.0/i586/libcurl3-7.14.0-2.3.20060mdk.i586.rpm
 0f934115755545407f79eada30feda35  corporate/4.0/i586/libcurl3-devel-7.14.0-2.3.20060mdk.i586.rpm 
 132009109cdf739189bc194c222080dc  corporate/4.0/SRPMS/curl-7.14.0-2.3.20060mdk.src.rpm

 Corporate 4.0/X86_64:
 367d03b3f185b9ad37fd5c28e0ea956b  corporate/4.0/x86_64/curl-7.14.0-2.3.20060mdk.x86_64.rpm
 11353510721cc81b4d47defcdff0c655  corporate/4.0/x86_64/lib64curl3-7.14.0-2.3.20060mdk.x86_64.rpm
 4b0f21ce51e858915ba7a403365d8c3b  corporate/4.0/x86_64/lib64curl3-devel-7.14.0-2.3.20060mdk.x86_64.rpm 
 132009109cdf739189bc194c222080dc  corporate/4.0/SRPMS/curl-7.14.0-2.3.20060mdk.src.rpm

 Multi Network Firewall 2.0:
 2319fdfd00d3cc01d7c219f7fafc2e4d  mnf/2.0/i586/curl-7.11.0-2.3.C30mdk.i586.rpm
 a14ae20d122b773438335669b258c7fa  mnf/2.0/i586/libcurl2-7.11.0-2.3.C30mdk.i586.rpm
 6b6235adcac53c26ae2f96c824db5fe7  mnf/2.0/i586/libcurl2-devel-7.11.0-2.3.C30mdk.i586.rpm 
 bf370dbbaed4785446495eb94d4d8c39  mnf/2.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJsZacmqjQ0CJFipgRAvzaAKDcbRIdXyZINwGJzH0leUmSPF2OoACfZH/6
eN2UMLpTDvoCyXXeRz3oDpc=
=37RE
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ