lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1QkFuW-0005yi-QY@titan.mandriva.com>
Date: Fri, 22 Jul 2011 15:37:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2011:116 ] curl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:116
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : curl
 Date    : July 22, 2011
 Affected: 2009.0, 2010.1, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability was discovered and corrected in curl:
 
 The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6
 through 7.21.6, as used in curl and other products, always performs
 credential delegation during GSSAPI authentication, which allows remote
 servers to impersonate clients via GSSAPI requests (CVE-2011-2192).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2192
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 efa7576a48725c44f2f53eb42e9f5a24  2009.0/i586/curl-7.19.0-2.5mdv2009.0.i586.rpm
 51928c0f801f157351f3843f794c2ec9  2009.0/i586/curl-examples-7.19.0-2.5mdv2009.0.i586.rpm
 3e8584e39fc7946ffdc4ddd7c0a23b78  2009.0/i586/libcurl4-7.19.0-2.5mdv2009.0.i586.rpm
 5b48546182e7323b1b95e3b084a63d1e  2009.0/i586/libcurl-devel-7.19.0-2.5mdv2009.0.i586.rpm 
 e2ba5684e62b6ad3ed4e2ed8fe974a37  2009.0/SRPMS/curl-7.19.0-2.5mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 fd13f40cfeba7fab958fdcc3eec98f9c  2009.0/x86_64/curl-7.19.0-2.5mdv2009.0.x86_64.rpm
 8078cbc6bdb189e5c105d0eef53f3ad1  2009.0/x86_64/curl-examples-7.19.0-2.5mdv2009.0.x86_64.rpm
 e319ecc8e70c0d222ec021c6bf2b884e  2009.0/x86_64/lib64curl4-7.19.0-2.5mdv2009.0.x86_64.rpm
 d43e6b3b4caa23d483d4205c19a4127f  2009.0/x86_64/lib64curl-devel-7.19.0-2.5mdv2009.0.x86_64.rpm 
 e2ba5684e62b6ad3ed4e2ed8fe974a37  2009.0/SRPMS/curl-7.19.0-2.5mdv2009.0.src.rpm

 Mandriva Linux 2010.1:
 1f3c2a90fb01fcc2719bce3e9645c66b  2010.1/i586/curl-7.20.1-2.1mdv2010.2.i586.rpm
 b1c758033beb896b902fa0ba418756b3  2010.1/i586/curl-examples-7.20.1-2.1mdv2010.2.i586.rpm
 a8c2de51650c92a409aba918c15697b2  2010.1/i586/libcurl4-7.20.1-2.1mdv2010.2.i586.rpm
 650e33c87271d5c4f2e5b698c8de972e  2010.1/i586/libcurl-devel-7.20.1-2.1mdv2010.2.i586.rpm 
 1488b217fbc0731d77e79540444b54a9  2010.1/SRPMS/curl-7.20.1-2.1mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 be7a877b6af363e470630d4edd1b65ab  2010.1/x86_64/curl-7.20.1-2.1mdv2010.2.x86_64.rpm
 fdea83447b30e83229eda4c4dd9e3eaf  2010.1/x86_64/curl-examples-7.20.1-2.1mdv2010.2.x86_64.rpm
 47eb4d21393bc10329bdcc7fed3105ec  2010.1/x86_64/lib64curl4-7.20.1-2.1mdv2010.2.x86_64.rpm
 d074056b2ec8e0af34d6fb63de9e9259  2010.1/x86_64/lib64curl-devel-7.20.1-2.1mdv2010.2.x86_64.rpm 
 1488b217fbc0731d77e79540444b54a9  2010.1/SRPMS/curl-7.20.1-2.1mdv2010.2.src.rpm

 Mandriva Enterprise Server 5:
 c1ca16b888b0873a9dfe7b7d62922b7d  mes5/i586/curl-7.19.0-2.5mdvmes5.2.i586.rpm
 a00a332d35f477c84e9d92fb52f1ec49  mes5/i586/curl-examples-7.19.0-2.5mdvmes5.2.i586.rpm
 de1a06a70f3850d1fe4fdf62e355dce1  mes5/i586/libcurl4-7.19.0-2.5mdvmes5.2.i586.rpm
 8a1797aca267e5eec1b5ff5da16527a6  mes5/i586/libcurl-devel-7.19.0-2.5mdvmes5.2.i586.rpm 
 febf373948a2a1caae63d4c0645483e6  mes5/SRPMS/curl-7.19.0-2.5mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 1a4bedbbcc5e6c5f58f44bbd70818266  mes5/x86_64/curl-7.19.0-2.5mdvmes5.2.x86_64.rpm
 e24a7d74b4967bd4575ca66a09c5c2bf  mes5/x86_64/curl-examples-7.19.0-2.5mdvmes5.2.x86_64.rpm
 8adb8518393e336ba74ae0ce40ec0ac5  mes5/x86_64/lib64curl4-7.19.0-2.5mdvmes5.2.x86_64.rpm
 809213447e1ef7e785960ca354396a18  mes5/x86_64/lib64curl-devel-7.19.0-2.5mdvmes5.2.x86_64.rpm 
 febf373948a2a1caae63d4c0645483e6  mes5/SRPMS/curl-7.19.0-2.5mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFOKU19mqjQ0CJFipgRAv5IAJ0UtAC7pqlCpuf8qFwB9X+1wdi9iQCg5SJE
hN4gsacKVHHLF60rcCZldDY=
=3rAe
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ