[ MDVSA-2009:069 ] curl

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [ MDVSA-2009:069 ] curl
From: security@xxxxxxxxxxxx
Date: Sat, 07 Mar 2009 01:48:00 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: <xsecurity@xxxxxxxxxxxx>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:069
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : curl
 Date    : March 6, 2009
 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A security vulnerability has been identified and fixed in curl, which
 could allow remote HTTP servers to (1) trigger arbitrary requests to
 intranet servers, (2) read or overwrite arbitrary files via a redirect
 to a file: URL, or (3) execute arbitrary commands via a redirect to
 an scp: URL (CVE-2009-0037).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 67e1fb1335abc2721ce040ce5ebffcb1  2008.0/i586/curl-7.16.4-2.1mdv2008.0.i586.rpm
 605b696753bcaba3f7bca0080e454a03  
2008.0/i586/libcurl4-7.16.4-2.1mdv2008.0.i586.rpm
 0d765f46a89a73af026ffcd5ab0bf375  
2008.0/i586/libcurl-devel-7.16.4-2.1mdv2008.0.i586.rpm 
 5b41fd64ace9251752278ab51c485283  2008.0/SRPMS/curl-7.16.4-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 cbb9fafd973426a0a572ed7c0c58a556  
2008.0/x86_64/curl-7.16.4-2.1mdv2008.0.x86_64.rpm
 cd427c136cf760b06ec4f8530f0c6d6d  
2008.0/x86_64/lib64curl4-7.16.4-2.1mdv2008.0.x86_64.rpm
 5e5fabf4303b50f68ea2ea3ca6c0819e  
2008.0/x86_64/lib64curl-devel-7.16.4-2.1mdv2008.0.x86_64.rpm 
 5b41fd64ace9251752278ab51c485283  2008.0/SRPMS/curl-7.16.4-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 372d19020afefeef9d9c076fdbcfe927  2008.1/i586/curl-7.18.0-1.1mdv2008.1.i586.rpm
 8bc3d07c59a1ba1da24ecfe7ecea99ba  
2008.1/i586/curl-examples-7.18.0-1.1mdv2008.1.i586.rpm
 691fd3f6beb73d0c273ba22dd8edcf84  
2008.1/i586/libcurl4-7.18.0-1.1mdv2008.1.i586.rpm
 f40887d0d032930f77486e9e41360ad6  
2008.1/i586/libcurl-devel-7.18.0-1.1mdv2008.1.i586.rpm 
 e9648a229edfb28f7fa366c833517573  2008.1/SRPMS/curl-7.18.0-1.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 708a7b7555fc5de3fa5fe984aa2f5a62  
2008.1/x86_64/curl-7.18.0-1.1mdv2008.1.x86_64.rpm
 54c16d007a21e88af81907c60c3846de  
2008.1/x86_64/curl-examples-7.18.0-1.1mdv2008.1.x86_64.rpm
 e01f05c2973809b42dbbc86ecd42845b  
2008.1/x86_64/lib64curl4-7.18.0-1.1mdv2008.1.x86_64.rpm
 c09950e7fcc52961f95c2aae7a83af39  
2008.1/x86_64/lib64curl-devel-7.18.0-1.1mdv2008.1.x86_64.rpm 
 e9648a229edfb28f7fa366c833517573  2008.1/SRPMS/curl-7.18.0-1.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 12514e678a4b04123f00bc422fcf9a3a  2009.0/i586/curl-7.19.0-2.2mdv2009.0.i586.rpm
 4a250c02f083f2729cfe7d23c903a386  
2009.0/i586/curl-examples-7.19.0-2.2mdv2009.0.i586.rpm
 f6b909859eec695f753ddba2d716b5a2  
2009.0/i586/libcurl4-7.19.0-2.2mdv2009.0.i586.rpm
 e5a953b568c4b8ccebe66a300885747d  
2009.0/i586/libcurl-devel-7.19.0-2.2mdv2009.0.i586.rpm 
 ebf22a3c6aa9e18847ec6c3311beb64b  2009.0/SRPMS/curl-7.19.0-2.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 e799091f80c2c44b629fc144b48effa1  
2009.0/x86_64/curl-7.19.0-2.2mdv2009.0.x86_64.rpm
 227315c6aefc62e9a1dd7750a3b0d81a  
2009.0/x86_64/curl-examples-7.19.0-2.2mdv2009.0.x86_64.rpm
 69c5335dcbe6f08fc67582bb5862ed55  
2009.0/x86_64/lib64curl4-7.19.0-2.2mdv2009.0.x86_64.rpm
 f01ec9b830763e5f01d799da687ec605  
2009.0/x86_64/lib64curl-devel-7.19.0-2.2mdv2009.0.x86_64.rpm 
 ebf22a3c6aa9e18847ec6c3311beb64b  2009.0/SRPMS/curl-7.19.0-2.2mdv2009.0.src.rpm

 Corporate 3.0:
 4df533f45f46c2891c87dcc108aa05e6  
corporate/3.0/i586/curl-7.11.0-2.3.C30mdk.i586.rpm
 bbb9558c954aa6b881db878e3cb5e340  
corporate/3.0/i586/libcurl2-7.11.0-2.3.C30mdk.i586.rpm
 3373382bebf28906bcb2c8a00e129ce0  
corporate/3.0/i586/libcurl2-devel-7.11.0-2.3.C30mdk.i586.rpm 
 45d58f4c743fd8cd0b44836ade158c85  
corporate/3.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 ca7ddd09a8a21b18a8a7ab32ab49516c  
corporate/3.0/x86_64/curl-7.11.0-2.3.C30mdk.x86_64.rpm
 3323f2165b8f0df55263222ca8bf1f0a  
corporate/3.0/x86_64/lib64curl2-7.11.0-2.3.C30mdk.x86_64.rpm
 3ea5fa46f598f2008296781c5b613e7f  
corporate/3.0/x86_64/lib64curl2-devel-7.11.0-2.3.C30mdk.x86_64.rpm 
 45d58f4c743fd8cd0b44836ade158c85  
corporate/3.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm

 Corporate 4.0:
 17241516d56baf7ba941065eed496ff5  
corporate/4.0/i586/curl-7.14.0-2.3.20060mdk.i586.rpm
 9fbef738cadfc9158b3eec6cfaf66507  
corporate/4.0/i586/libcurl3-7.14.0-2.3.20060mdk.i586.rpm
 0f934115755545407f79eada30feda35  
corporate/4.0/i586/libcurl3-devel-7.14.0-2.3.20060mdk.i586.rpm 
 132009109cdf739189bc194c222080dc  
corporate/4.0/SRPMS/curl-7.14.0-2.3.20060mdk.src.rpm

 Corporate 4.0/X86_64:
 367d03b3f185b9ad37fd5c28e0ea956b  
corporate/4.0/x86_64/curl-7.14.0-2.3.20060mdk.x86_64.rpm
 11353510721cc81b4d47defcdff0c655  
corporate/4.0/x86_64/lib64curl3-7.14.0-2.3.20060mdk.x86_64.rpm
 4b0f21ce51e858915ba7a403365d8c3b  
corporate/4.0/x86_64/lib64curl3-devel-7.14.0-2.3.20060mdk.x86_64.rpm 
 132009109cdf739189bc194c222080dc  
corporate/4.0/SRPMS/curl-7.14.0-2.3.20060mdk.src.rpm

 Multi Network Firewall 2.0:
 2319fdfd00d3cc01d7c219f7fafc2e4d  mnf/2.0/i586/curl-7.11.0-2.3.C30mdk.i586.rpm
 a14ae20d122b773438335669b258c7fa  
mnf/2.0/i586/libcurl2-7.11.0-2.3.C30mdk.i586.rpm
 6b6235adcac53c26ae2f96c824db5fe7  
mnf/2.0/i586/libcurl2-devel-7.11.0-2.3.C30mdk.i586.rpm 
 bf370dbbaed4785446495eb94d4d8c39  mnf/2.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJsZacmqjQ0CJFipgRAvzaAKDcbRIdXyZINwGJzH0leUmSPF2OoACfZH/6
eN2UMLpTDvoCyXXeRz3oDpc=
=37RE
-----END PGP SIGNATURE-----

Prev by Date: [ GLSA 200903-04 ] DevIL: User-assisted execution of arbitrary code
Next by Date: [ MDVSA-2009:068-1 ] poppler
Previous by thread: [ GLSA 200903-04 ] DevIL: User-assisted execution of arbitrary code
Next by thread: [ MDVSA-2009:068-1 ] poppler
Index(es):
- Date
- Thread