[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1QkFuW-0005yi-QY@titan.mandriva.com>
Date: Fri, 22 Jul 2011 15:37:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2011:116 ] curl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:116
http://www.mandriva.com/security/
_______________________________________________________________________
Package : curl
Date : July 22, 2011
Affected: 2009.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability was discovered and corrected in curl:
The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6
through 7.21.6, as used in curl and other products, always performs
credential delegation during GSSAPI authentication, which allows remote
servers to impersonate clients via GSSAPI requests (CVE-2011-2192).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2192
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
efa7576a48725c44f2f53eb42e9f5a24 2009.0/i586/curl-7.19.0-2.5mdv2009.0.i586.rpm
51928c0f801f157351f3843f794c2ec9 2009.0/i586/curl-examples-7.19.0-2.5mdv2009.0.i586.rpm
3e8584e39fc7946ffdc4ddd7c0a23b78 2009.0/i586/libcurl4-7.19.0-2.5mdv2009.0.i586.rpm
5b48546182e7323b1b95e3b084a63d1e 2009.0/i586/libcurl-devel-7.19.0-2.5mdv2009.0.i586.rpm
e2ba5684e62b6ad3ed4e2ed8fe974a37 2009.0/SRPMS/curl-7.19.0-2.5mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
fd13f40cfeba7fab958fdcc3eec98f9c 2009.0/x86_64/curl-7.19.0-2.5mdv2009.0.x86_64.rpm
8078cbc6bdb189e5c105d0eef53f3ad1 2009.0/x86_64/curl-examples-7.19.0-2.5mdv2009.0.x86_64.rpm
e319ecc8e70c0d222ec021c6bf2b884e 2009.0/x86_64/lib64curl4-7.19.0-2.5mdv2009.0.x86_64.rpm
d43e6b3b4caa23d483d4205c19a4127f 2009.0/x86_64/lib64curl-devel-7.19.0-2.5mdv2009.0.x86_64.rpm
e2ba5684e62b6ad3ed4e2ed8fe974a37 2009.0/SRPMS/curl-7.19.0-2.5mdv2009.0.src.rpm
Mandriva Linux 2010.1:
1f3c2a90fb01fcc2719bce3e9645c66b 2010.1/i586/curl-7.20.1-2.1mdv2010.2.i586.rpm
b1c758033beb896b902fa0ba418756b3 2010.1/i586/curl-examples-7.20.1-2.1mdv2010.2.i586.rpm
a8c2de51650c92a409aba918c15697b2 2010.1/i586/libcurl4-7.20.1-2.1mdv2010.2.i586.rpm
650e33c87271d5c4f2e5b698c8de972e 2010.1/i586/libcurl-devel-7.20.1-2.1mdv2010.2.i586.rpm
1488b217fbc0731d77e79540444b54a9 2010.1/SRPMS/curl-7.20.1-2.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
be7a877b6af363e470630d4edd1b65ab 2010.1/x86_64/curl-7.20.1-2.1mdv2010.2.x86_64.rpm
fdea83447b30e83229eda4c4dd9e3eaf 2010.1/x86_64/curl-examples-7.20.1-2.1mdv2010.2.x86_64.rpm
47eb4d21393bc10329bdcc7fed3105ec 2010.1/x86_64/lib64curl4-7.20.1-2.1mdv2010.2.x86_64.rpm
d074056b2ec8e0af34d6fb63de9e9259 2010.1/x86_64/lib64curl-devel-7.20.1-2.1mdv2010.2.x86_64.rpm
1488b217fbc0731d77e79540444b54a9 2010.1/SRPMS/curl-7.20.1-2.1mdv2010.2.src.rpm
Mandriva Enterprise Server 5:
c1ca16b888b0873a9dfe7b7d62922b7d mes5/i586/curl-7.19.0-2.5mdvmes5.2.i586.rpm
a00a332d35f477c84e9d92fb52f1ec49 mes5/i586/curl-examples-7.19.0-2.5mdvmes5.2.i586.rpm
de1a06a70f3850d1fe4fdf62e355dce1 mes5/i586/libcurl4-7.19.0-2.5mdvmes5.2.i586.rpm
8a1797aca267e5eec1b5ff5da16527a6 mes5/i586/libcurl-devel-7.19.0-2.5mdvmes5.2.i586.rpm
febf373948a2a1caae63d4c0645483e6 mes5/SRPMS/curl-7.19.0-2.5mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
1a4bedbbcc5e6c5f58f44bbd70818266 mes5/x86_64/curl-7.19.0-2.5mdvmes5.2.x86_64.rpm
e24a7d74b4967bd4575ca66a09c5c2bf mes5/x86_64/curl-examples-7.19.0-2.5mdvmes5.2.x86_64.rpm
8adb8518393e336ba74ae0ce40ec0ac5 mes5/x86_64/lib64curl4-7.19.0-2.5mdvmes5.2.x86_64.rpm
809213447e1ef7e785960ca354396a18 mes5/x86_64/lib64curl-devel-7.19.0-2.5mdvmes5.2.x86_64.rpm
febf373948a2a1caae63d4c0645483e6 mes5/SRPMS/curl-7.19.0-2.5mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFOKU19mqjQ0CJFipgRAv5IAJ0UtAC7pqlCpuf8qFwB9X+1wdi9iQCg5SJE
hN4gsacKVHHLF60rcCZldDY=
=3rAe
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists