6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.008 Low
EPSS
Percentile
80.8%
CentOS Errata and Security Advisory CESA-2009:0341
cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict
servers, using any of the supported protocols. cURL is designed to work
without user interaction or any kind of interactivity.
David Kierznowski discovered a flaw in libcurl where it would not
differentiate between different target URLs when handling automatic
redirects. This caused libcurl to follow any new URL that it understood,
including the “file://” URL type. This could allow a remote server to force
a local libcurl-using application to read a local file instead of the
remote one, possibly exposing local files that were not meant to be
exposed. (CVE-2009-0037)
Note: Applications using libcurl that are expected to follow redirects to
“file://” protocol must now explicitly call curl_easy_setopt(3) and set the
newly introduced CURLOPT_REDIR_PROTOCOLS option as required.
cURL users should upgrade to these updated packages, which contain
backported patches to correct these issues. All running applications using
libcurl must be restarted for the update to take effect.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2009-April/077970.html
https://lists.centos.org/pipermail/centos-announce/2009-April/077971.html
https://lists.centos.org/pipermail/centos-announce/2009-March/077848.html
https://lists.centos.org/pipermail/centos-announce/2009-March/077849.html
https://lists.centos.org/pipermail/centos-announce/2009-March/077852.html
https://lists.centos.org/pipermail/centos-announce/2009-March/077853.html
https://lists.centos.org/pipermail/centos-announce/2009-March/077856.html
https://lists.centos.org/pipermail/centos-announce/2009-March/077857.html
Affected packages:
curl
curl-devel
Upstream details at:
https://access.redhat.com/errata/RHSA-2009:0341
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 3 | ia64 | curl | < 7.10.6-9.rhel3 | curl-7.10.6-9.rhel3.ia64.rpm |
CentOS | 3 | ia64 | curl-devel | < 7.10.6-9.rhel3 | curl-devel-7.10.6-9.rhel3.ia64.rpm |
CentOS | 3 | ia64 | curl | < 7.10.6-9.rhel3 | curl-7.10.6-9.rhel3.ia64.rpm |
CentOS | 3 | ia64 | curl-devel | < 7.10.6-9.rhel3 | curl-devel-7.10.6-9.rhel3.ia64.rpm |
CentOS | 4 | ia64 | curl | < 7.12.1-11.1.c4.1 | curl-7.12.1-11.1.c4.1.ia64.rpm |
CentOS | 4 | ia64 | curl-devel | < 7.12.1-11.1.c4.1 | curl-devel-7.12.1-11.1.c4.1.ia64.rpm |
CentOS | 4 | ia64 | curl | < 7.12.1-11.1.c4.1 | curl-7.12.1-11.1.c4.1.ia64.rpm |
CentOS | 4 | ia64 | curl-devel | < 7.12.1-11.1.c4.1 | curl-devel-7.12.1-11.1.c4.1.ia64.rpm |
CentOS | 3 | s390 | curl | < 7.10.6-9.rhel3 | curl-7.10.6-9.rhel3.s390.rpm |
CentOS | 3 | s390 | curl-devel | < 7.10.6-9.rhel3 | curl-devel-7.10.6-9.rhel3.s390.rpm |