(RHSA-2009:0341) Moderate: curl security update

2009-03-1900:00:00

access.redhat.com

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.009 Low

EPSS

Percentile

80.8%

JSON

cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict
servers, using any of the supported protocols. cURL is designed to work
without user interaction or any kind of interactivity.

David Kierznowski discovered a flaw in libcurl where it would not
differentiate between different target URLs when handling automatic
redirects. This caused libcurl to follow any new URL that it understood,
including the “file://” URL type. This could allow a remote server to force
a local libcurl-using application to read a local file instead of the
remote one, possibly exposing local files that were not meant to be
exposed. (CVE-2009-0037)

Note: Applications using libcurl that are expected to follow redirects to
“file://” protocol must now explicitly call curl_easy_setopt(3) and set the
newly introduced CURLOPT_REDIR_PROTOCOLS option as required.

cURL users should upgrade to these updated packages, which contain
backported patches to correct these issues. All running applications using
libcurl must be restarted for the update to take effect.

OSVersionArchitecturePackageVersionFilename
RedHat4ia64curl-devel< 7.12.1-11.1.el4_7.1curl-devel-7.12.1-11.1.el4_7.1.ia64.rpm
RedHat5ppc64curl< 7.15.5-2.1.el5_3.4curl-7.15.5-2.1.el5_3.4.ppc64.rpm
RedHat4i386curl-devel< 7.12.1-11.1.el4_7.1curl-devel-7.12.1-11.1.el4_7.1.i386.rpm
RedHatanyx86_64curl< 7.10.6-9.rhel3curl-7.10.6-9.rhel3.x86_64.rpm
RedHat5s390xcurl< 7.15.5-2.1.el5_3.4curl-7.15.5-2.1.el5_3.4.s390x.rpm
RedHatanyi386curl< 7.10.6-9.rhel3curl-7.10.6-9.rhel3.i386.rpm
RedHatanyia64curl-devel< 7.10.6-9.rhel3curl-devel-7.10.6-9.rhel3.ia64.rpm
RedHat4x86_64curl< 7.12.1-11.1.el4_7.1curl-7.12.1-11.1.el4_7.1.x86_64.rpm
RedHatanyppccurl-devel< 7.10.6-9.rhel3curl-devel-7.10.6-9.rhel3.ppc.rpm
RedHat5ia64curl-devel< 7.15.5-2.1.el5_3.4curl-devel-7.15.5-2.1.el5_3.4.ia64.rpm

OS	Version	Architecture	Package	Version	Filename
RedHat	4	ia64	curl-devel	< 7.12.1-11.1.el4_7.1	curl-devel-7.12.1-11.1.el4_7.1.ia64.rpm
RedHat	5	ppc64	curl	< 7.15.5-2.1.el5_3.4	curl-7.15.5-2.1.el5_3.4.ppc64.rpm
RedHat	4	i386	curl-devel	< 7.12.1-11.1.el4_7.1	curl-devel-7.12.1-11.1.el4_7.1.i386.rpm
RedHat	any	x86_64	curl	< 7.10.6-9.rhel3	curl-7.10.6-9.rhel3.x86_64.rpm
RedHat	5	s390x	curl	< 7.15.5-2.1.el5_3.4	curl-7.15.5-2.1.el5_3.4.s390x.rpm
RedHat	any	i386	curl	< 7.10.6-9.rhel3	curl-7.10.6-9.rhel3.i386.rpm
RedHat	any	ia64	curl-devel	< 7.10.6-9.rhel3	curl-devel-7.10.6-9.rhel3.ia64.rpm
RedHat	4	x86_64	curl	< 7.12.1-11.1.el4_7.1	curl-7.12.1-11.1.el4_7.1.x86_64.rpm
RedHat	any	ppc	curl-devel	< 7.10.6-9.rhel3	curl-devel-7.10.6-9.rhel3.ppc.rpm
RedHat	5	ia64	curl-devel	< 7.15.5-2.1.el5_3.4	curl-devel-7.15.5-2.1.el5_3.4.ia64.rpm