To: [email protected]Subject: [ MDVSA-2009:069 ] curl
Date: Sat, 07 Mar 2009 01:48:00 +0100
From: [email protected]
Reply-To: <xsecurity@mandriva.com.>
Message-Id: <E1Lfkhs-0006lk-UM@titan.mandriva.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:069
http://www.mandriva.com/security/
_______________________________________________________________________
Package : curl
Date : March 6, 2009
Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A security vulnerability has been identified and fixed in curl, which
could allow remote HTTP servers to (1) trigger arbitrary requests to
intranet servers, (2) read or overwrite arbitrary files via a redirect
to a file: URL, or (3) execute arbitrary commands via a redirect to
an scp: URL (CVE-2009-0037).
The updated packages have been patched to prevent this.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
67e1fb1335abc2721ce040ce5ebffcb1 2008.0/i586/curl-7.16.4-2.1mdv2008.0.i586.rpm
605b696753bcaba3f7bca0080e454a03 2008.0/i586/libcurl4-7.16.4-2.1mdv2008.0.i586.rpm
0d765f46a89a73af026ffcd5ab0bf375 2008.0/i586/libcurl-devel-7.16.4-2.1mdv2008.0.i586.rpm
5b41fd64ace9251752278ab51c485283 2008.0/SRPMS/curl-7.16.4-2.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
cbb9fafd973426a0a572ed7c0c58a556 2008.0/x86_64/curl-7.16.4-2.1mdv2008.0.x86_64.rpm
cd427c136cf760b06ec4f8530f0c6d6d 2008.0/x86_64/lib64curl4-7.16.4-2.1mdv2008.0.x86_64.rpm
5e5fabf4303b50f68ea2ea3ca6c0819e 2008.0/x86_64/lib64curl-devel-7.16.4-2.1mdv2008.0.x86_64.rpm
5b41fd64ace9251752278ab51c485283 2008.0/SRPMS/curl-7.16.4-2.1mdv2008.0.src.rpm
Mandriva Linux 2008.1:
372d19020afefeef9d9c076fdbcfe927 2008.1/i586/curl-7.18.0-1.1mdv2008.1.i586.rpm
8bc3d07c59a1ba1da24ecfe7ecea99ba 2008.1/i586/curl-examples-7.18.0-1.1mdv2008.1.i586.rpm
691fd3f6beb73d0c273ba22dd8edcf84 2008.1/i586/libcurl4-7.18.0-1.1mdv2008.1.i586.rpm
f40887d0d032930f77486e9e41360ad6 2008.1/i586/libcurl-devel-7.18.0-1.1mdv2008.1.i586.rpm
e9648a229edfb28f7fa366c833517573 2008.1/SRPMS/curl-7.18.0-1.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
708a7b7555fc5de3fa5fe984aa2f5a62 2008.1/x86_64/curl-7.18.0-1.1mdv2008.1.x86_64.rpm
54c16d007a21e88af81907c60c3846de 2008.1/x86_64/curl-examples-7.18.0-1.1mdv2008.1.x86_64.rpm
e01f05c2973809b42dbbc86ecd42845b 2008.1/x86_64/lib64curl4-7.18.0-1.1mdv2008.1.x86_64.rpm
c09950e7fcc52961f95c2aae7a83af39 2008.1/x86_64/lib64curl-devel-7.18.0-1.1mdv2008.1.x86_64.rpm
e9648a229edfb28f7fa366c833517573 2008.1/SRPMS/curl-7.18.0-1.1mdv2008.1.src.rpm
Mandriva Linux 2009.0:
12514e678a4b04123f00bc422fcf9a3a 2009.0/i586/curl-7.19.0-2.2mdv2009.0.i586.rpm
4a250c02f083f2729cfe7d23c903a386 2009.0/i586/curl-examples-7.19.0-2.2mdv2009.0.i586.rpm
f6b909859eec695f753ddba2d716b5a2 2009.0/i586/libcurl4-7.19.0-2.2mdv2009.0.i586.rpm
e5a953b568c4b8ccebe66a300885747d 2009.0/i586/libcurl-devel-7.19.0-2.2mdv2009.0.i586.rpm
ebf22a3c6aa9e18847ec6c3311beb64b 2009.0/SRPMS/curl-7.19.0-2.2mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
e799091f80c2c44b629fc144b48effa1 2009.0/x86_64/curl-7.19.0-2.2mdv2009.0.x86_64.rpm
227315c6aefc62e9a1dd7750a3b0d81a 2009.0/x86_64/curl-examples-7.19.0-2.2mdv2009.0.x86_64.rpm
69c5335dcbe6f08fc67582bb5862ed55 2009.0/x86_64/lib64curl4-7.19.0-2.2mdv2009.0.x86_64.rpm
f01ec9b830763e5f01d799da687ec605 2009.0/x86_64/lib64curl-devel-7.19.0-2.2mdv2009.0.x86_64.rpm
ebf22a3c6aa9e18847ec6c3311beb64b 2009.0/SRPMS/curl-7.19.0-2.2mdv2009.0.src.rpm
Corporate 3.0:
4df533f45f46c2891c87dcc108aa05e6 corporate/3.0/i586/curl-7.11.0-2.3.C30mdk.i586.rpm
bbb9558c954aa6b881db878e3cb5e340 corporate/3.0/i586/libcurl2-7.11.0-2.3.C30mdk.i586.rpm
3373382bebf28906bcb2c8a00e129ce0 corporate/3.0/i586/libcurl2-devel-7.11.0-2.3.C30mdk.i586.rpm
45d58f4c743fd8cd0b44836ade158c85 corporate/3.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm
Corporate 3.0/X86_64:
ca7ddd09a8a21b18a8a7ab32ab49516c corporate/3.0/x86_64/curl-7.11.0-2.3.C30mdk.x86_64.rpm
3323f2165b8f0df55263222ca8bf1f0a corporate/3.0/x86_64/lib64curl2-7.11.0-2.3.C30mdk.x86_64.rpm
3ea5fa46f598f2008296781c5b613e7f corporate/3.0/x86_64/lib64curl2-devel-7.11.0-2.3.C30mdk.x86_64.rpm
45d58f4c743fd8cd0b44836ade158c85 corporate/3.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm
Corporate 4.0:
17241516d56baf7ba941065eed496ff5 corporate/4.0/i586/curl-7.14.0-2.3.20060mdk.i586.rpm
9fbef738cadfc9158b3eec6cfaf66507 corporate/4.0/i586/libcurl3-7.14.0-2.3.20060mdk.i586.rpm
0f934115755545407f79eada30feda35 corporate/4.0/i586/libcurl3-devel-7.14.0-2.3.20060mdk.i586.rpm
132009109cdf739189bc194c222080dc corporate/4.0/SRPMS/curl-7.14.0-2.3.20060mdk.src.rpm
Corporate 4.0/X86_64:
367d03b3f185b9ad37fd5c28e0ea956b corporate/4.0/x86_64/curl-7.14.0-2.3.20060mdk.x86_64.rpm
11353510721cc81b4d47defcdff0c655 corporate/4.0/x86_64/lib64curl3-7.14.0-2.3.20060mdk.x86_64.rpm
4b0f21ce51e858915ba7a403365d8c3b corporate/4.0/x86_64/lib64curl3-devel-7.14.0-2.3.20060mdk.x86_64.rpm
132009109cdf739189bc194c222080dc corporate/4.0/SRPMS/curl-7.14.0-2.3.20060mdk.src.rpm
Multi Network Firewall 2.0:
2319fdfd00d3cc01d7c219f7fafc2e4d mnf/2.0/i586/curl-7.11.0-2.3.C30mdk.i586.rpm
a14ae20d122b773438335669b258c7fa mnf/2.0/i586/libcurl2-7.11.0-2.3.C30mdk.i586.rpm
6b6235adcac53c26ae2f96c824db5fe7 mnf/2.0/i586/libcurl2-devel-7.11.0-2.3.C30mdk.i586.rpm
bf370dbbaed4785446495eb94d4d8c39 mnf/2.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJsZacmqjQ0CJFipgRAvzaAKDcbRIdXyZINwGJzH0leUmSPF2OoACfZH/6
eN2UMLpTDvoCyXXeRz3oDpc=
=37RE
-----END PGP SIGNATURE-----