The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[USN-726-2] curl regression


<< Previous INDEX Search src / Print Next >> 
Subject: [USN-726-2] curl regression
From: Marc Deslauriers <marc.deslauriers@canonical.com.>
To: [email protected]
X-Original-To: [email protected]
X-Mailcontrol-Inbound: uq3drnD2P+ps5SfEb0fvr78+NoP1DHBZwGqKpaXB2eTgNv8D6KLIxb8+NoP1DHBZ8VSaBg0k0xw=
X-Spam-Score: -4.4
X-Scanned-By: MailControl A_08_51_00 (www.mailcontrol.com) on 10.74.0.143
Date: Wed, 04 Mar 2009 10:09:19 -0500
Message-Id: <1236179359.6505.1.camel@mdlinux.technorage.com.>
Mime-Version: 1.0
X-Mailer: Evolution 2.25.92 
X-Mailman-Approved-At: Thu, 05 Mar 2009 23:48:23 +0000
Cc: [email protected],
        "[email protected]" <bugtraq@securityfocus.com.>
X-BeenThere: [email protected]
X-Mailman-Version: 2.1.8
Reply-To: [email protected],
        Ubuntu Security <security@ubuntu.com.>
Content-Type: multipart/mixed; boundary="===============6655108073400217189=="
Mime-version: 1.0
Sender: [email protected]
Errors-To: [email protected]
X-Virus-Scanned: antivirus-gw at tyumen.ru


--===============6655108073400217189==
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-L93ZgGm9Fd8arsfym5E/"


--=-L93ZgGm9Fd8arsfym5E/
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
Ubuntu Security Notice USN-726-2             March 04, 2009
curl regression
https://launchpad.net/bugs/337501
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

A security issue affects the following Ubuntu releases:

Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.10:
  libcurl3                        7.18.2-1ubuntu4.3
  libcurl3-gnutls                 7.18.2-1ubuntu4.3

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

USN-726-1 fixed a vulnerability in curl. Due to an incomplete fix, a regres=
sion
was introduced in Ubuntu 8.10 that caused certain types of URLs to fail. Th=
is
update fixes the problem. We apologize for the inconvenience.

Original advisory details:

 It was discovered that curl did not enforce any restrictions when followin=
g
 URL redirects. If a user or automated system were tricked into opening a U=
RL to
 an untrusted server, an attacker could use redirects to gain access to abi=
trary
 files. This update changes curl behavior to prevent following "file" URLs =
after
 a redirect.


Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.18.2-1ubuntu4=
.3.diff.gz
      Size/MD5:    22444 f03a34d199a3dfe6862d4f93b6704e10
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.18.2-1ubuntu4=
.3.dsc
      Size/MD5:     1491 906af0232a5e1c0a02e921eb508eff57
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.18.2.orig.tar=
.gz
      Size/MD5:  2273077 4fe99398a64a34613c9db7bd61bf6e3c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.18.2-1ubuntu4=
.3_amd64.deb
      Size/MD5:   210392 605f35f7ab21dc4ed16205f73f5ce335
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.18.2-=
1ubuntu4.3_amd64.deb
      Size/MD5:  1124818 52b6531b8d0ba56e47844b90faaa7d88
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.18=
.2-1ubuntu4.3_amd64.deb
      Size/MD5:   216220 700b648d0e4b4346da9dd4ba9421962f
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.18.2-1ubu=
ntu4.3_amd64.deb
      Size/MD5:   223312 58580fc77cdd1a93439ee92875aee1fc
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl4-gnutls-dev_=
7.18.2-1ubuntu4.3_amd64.deb
      Size/MD5:   926208 16822154e80a941fd4305169d7979379
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl4-openssl-dev=
_7.18.2-1ubuntu4.3_amd64.deb
      Size/MD5:   933192 ae5cc0e338e4f2d9f43ceac6c92303f0

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/c/curl/curl_7.18.2-1ubuntu4=
.3_i386.deb
      Size/MD5:   209182 e34d8187746e820d6328fdc4540e7e73
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-dbg_7.18.2-=
1ubuntu4.3_i386.deb
      Size/MD5:  1092044 3d9e9bf04f0dd77c09ff967ce0822011
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3-gnutls_7.18=
.2-1ubuntu4.3_i386.deb
      Size/MD5:   212674 bdad3624169c184cdee7153dfdc61a16
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl3_7.18.2-1ubu=
ntu4.3_i386.deb
      Size/MD5:   219586 e9b3008f8cb5047b326b4d3f1f6e0323
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl4-gnutls-dev_=
7.18.2-1ubuntu4.3_i386.deb
      Size/MD5:   899702 6dd63d112bdc8055636b2c8edfdd24a2
    http://security.ubuntu.com/ubuntu/pool/main/c/curl/libcurl4-openssl-dev=
_7.18.2-1ubuntu4.3_i386.deb
      Size/MD5:   905420 ff0b8f23fd90555ffe215698ac644cdf

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/c/curl/curl_7.18.2-1ubuntu4.3_lpia.de=
b
      Size/MD5:   208850 1c452ad9122b12518bf1b5c8b3996c3b
    http://ports.ubuntu.com/pool/main/c/curl/libcurl3-dbg_7.18.2-1ubuntu4.3=
_lpia.deb
      Size/MD5:  1099132 7735bb7e7c240be1a5f9ee749a67eb6e
    http://ports.ubuntu.com/pool/main/c/curl/libcurl3-gnutls_7.18.2-1ubuntu=
4.3_lpia.deb
      Size/MD5:   210934 5f3eea9bf9eece8f91200332c6f41b6a
    http://ports.ubuntu.com/pool/main/c/curl/libcurl3_7.18.2-1ubuntu4.3_lpi=
a.deb
      Size/MD5:   217456 eebef9ad6914c70cb38b0fa08875233c
    http://ports.ubuntu.com/pool/main/c/curl/libcurl4-gnutls-dev_7.18.2-1ub=
untu4.3_lpia.deb
      Size/MD5:   898570 21805c5b24e9477670aad07d167d56ab
    http://ports.ubuntu.com/pool/main/c/curl/libcurl4-openssl-dev_7.18.2-1u=
buntu4.3_lpia.deb
      Size/MD5:   903918 90628d272b4301c968ef5cf446c778fe

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/c/curl/curl_7.18.2-1ubuntu4.3_powerpc=
.deb
      Size/MD5:   212598 4003e25fccb2f67b75f451e60d7e9362
    http://ports.ubuntu.com/pool/main/c/curl/libcurl3-dbg_7.18.2-1ubuntu4.3=
_powerpc.deb
      Size/MD5:  1130394 f755328b6c0df8b6963ea39255594cfb
    http://ports.ubuntu.com/pool/main/c/curl/libcurl3-gnutls_7.18.2-1ubuntu=
4.3_powerpc.deb
      Size/MD5:   223766 b72e7008472791b08bba97fc57857f1b
    http://ports.ubuntu.com/pool/main/c/curl/libcurl3_7.18.2-1ubuntu4.3_pow=
erpc.deb
      Size/MD5:   229632 d891ef64864441ba7f2496c29b57d49a
    http://ports.ubuntu.com/pool/main/c/curl/libcurl4-gnutls-dev_7.18.2-1ub=
untu4.3_powerpc.deb
      Size/MD5:   925530 35c2284ab719cb773592ea4bc8679af6
    http://ports.ubuntu.com/pool/main/c/curl/libcurl4-openssl-dev_7.18.2-1u=
buntu4.3_powerpc.deb
      Size/MD5:   931828 f29cf3a604d660801e1b011fa409af90

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/c/curl/curl_7.18.2-1ubuntu4.3_sparc.d=
eb
      Size/MD5:   209654 b25b0908a500fb1c6ba5e9af876249ac
    http://ports.ubuntu.com/pool/main/c/curl/libcurl3-dbg_7.18.2-1ubuntu4.3=
_sparc.deb
      Size/MD5:  1072608 7c3c67a9fcd09e1807a22d6ba110790e
    http://ports.ubuntu.com/pool/main/c/curl/libcurl3-gnutls_7.18.2-1ubuntu=
4.3_sparc.deb
      Size/MD5:   209368 cb36362b891401548905671dee5057db
    http://ports.ubuntu.com/pool/main/c/curl/libcurl3_7.18.2-1ubuntu4.3_spa=
rc.deb
      Size/MD5:   214076 49e05a9531109bcc7cbbce75adb29681
    http://ports.ubuntu.com/pool/main/c/curl/libcurl4-gnutls-dev_7.18.2-1ub=
untu4.3_sparc.deb
      Size/MD5:   904932 56300cb1c407a1b90d23b72a22df0b56
    http://ports.ubuntu.com/pool/main/c/curl/libcurl4-openssl-dev_7.18.2-1u=
buntu4.3_sparc.deb
      Size/MD5:   909964 92dc9ddcf638da3dcac80c7f90373b10



--=-L93ZgGm9Fd8arsfym5E/
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkmumZ0ACgkQLMAs/0C4zNqLnACfYoK+AWvyF7aVelAWlDfZW/oe
M9YAmgPpu3yeIi5GwBbCjW9JDwNnXVH9
=hsho
-----END PGP SIGNATURE-----

--=-L93ZgGm9Fd8arsfym5E/--



--===============6655108073400217189==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
ubuntu-security-announce mailing list
[email protected]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============6655108073400217189==--

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру