Subject: | |
From: | |
Reply To: | |
Date: | Wed, 7 Apr 2010 13:30:19 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Synopsis: Moderate: curl security, bug fix and enhancement update
Issue date: 2010-03-30
CVE Names: CVE-2010-0734
Wesley Miaw discovered that when deflate compression was used, libcurl
could call the registered write callback function with data exceeding
the documented limit. A malicious server could use this flaw to crash an
application using libcurl or, potentially, execute arbitrary code. Note:
This issue only affected applications using libcurl that rely on the
documented data size limit, and that copy the data to the insufficiently
sized buffer. (CVE-2010-0734)
This update also fixes the following bugs:
* when using curl to upload a file, if the connection was broken or
reset by the server during the transfer, curl immediately started using
100% CPU and failed to acknowledge that the transfer had failed. With
this update, curl displays an appropriate error message and exits when
an upload fails mid-transfer due to a broken or reset connection.
(BZ#479967)
* libcurl experienced a segmentation fault when attempting to reuse a
connection after performing GSS-negotiate authentication, which in turn
caused the curl program to crash. This update fixes this bug so that
reused connections are able to be successfully established even after
GSS-negotiate authentication has been performed. (BZ#517199)
As well, this update adds the following enhancements:
* curl now supports loading Certificate Revocation Lists (CRLs) from a
Privacy Enhanced Mail (PEM) file. When curl attempts to access sites
that have had their certificate revoked in a CRL, curl refuses access to
those sites. (BZ#532069)
* the curl(1) manual page has been updated to clarify that the
"--socks4" and "--socks5" options do not work with the IPv6, FTPS, or
LDAP protocols. (BZ#473128)
* the curl utility's program help, which is accessed by running "curl
-h", has been updated with descriptions for the "--ftp-account" and
"--ftp-alternative-to-user" options. (BZ#517084)
All running applications using libcurl must be restarted for the update
to take effect.
SL 5.x
SRPMS:
curl-7.15.5-9.el5.src.rpm
i386:
curl-7.15.5-9.el5.i386.rpm
curl-devel-7.15.5-9.el5.i386.rpm
x86_64:
curl-7.15.5-9.el5.i386.rpm
curl-7.15.5-9.el5.x86_64.rpm
curl-devel-7.15.5-9.el5.i386.rpm
curl-devel-7.15.5-9.el5.x86_64.rpm
-Connie Sieh
-Troy Dawson
|
|
|