Subject: | |
From: | |
Reply To: | |
Date: | Fri, 20 Mar 2009 15:59:14 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Synopsis: Moderate: curl security update
Issue date: 2009-03-19
CVE Names: CVE-2009-0037
David Kierznowski discovered a flaw in libcurl where it would not
differentiate between different target URLs when handling automatic
redirects. This caused libcurl to follow any new URL that it understood,
including the "file://" URL type. This could allow a remote server to
force a local libcurl-using application to read a local file instead of
the remote one, possibly exposing local files that were not meant to be
exposed. (CVE-2009-0037)
Note: Applications using libcurl that are expected to follow redirects
to "file://" protocol must now explicitly call curl_easy_setopt(3) and
set the newly introduced CURLOPT_REDIR_PROTOCOLS option as required.
All running applications using libcurl must be restarted for the update
to take effect.
SL 3.0.x
SRPMS:
curl-7.10.6-9.rhel3.src.rpm
i386:
curl-7.10.6-9.rhel3.i386.rpm
curl-devel-7.10.6-9.rhel3.i386.rpm
x86_64:
curl-7.10.6-9.rhel3.i386.rpm
curl-7.10.6-9.rhel3.x86_64.rpm
curl-devel-7.10.6-9.rhel3.x86_64.rpm
SL 4.x
SRPMS:
curl-7.12.1-11.1.el4_7.1.src.rpm
i386:
curl-7.12.1-11.1.1.i386.rpm
curl-devel-7.12.1-11.1.1.i386.rpm
x86_64:
curl-7.12.1-11.1.1.i386.rpm
curl-7.12.1-11.1.el4_7.1.x86_64.rpm
curl-devel-7.12.1-11.1.el4_7.1.x86_64.rpm
SL 5.x
SRPMS:
curl-7.15.5-2.1.el5_3.4.src.rpm
i386:
curl-7.15.5-2.1.el5_3.4.i386.rpm
curl-devel-7.15.5-2.1.el5_3.4.i386.rpm
x86_64:
curl-7.15.5-2.1.el5_3.4.i386.rpm
curl-7.15.5-2.1.el5_3.4.x86_64.rpm
curl-devel-7.15.5-2.1.el5_3.4.i386.rpm
curl-devel-7.15.5-2.1.el5_3.4.x86_64.rpm
-Connie Sieh
-Troy Dawson
|
|
|