news 28 Posted March 19, 2009 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: curl security update Advisory ID: RHSA-2009:0341-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-0341.html Issue date: 2009-03-19 CVE Names: CVE-2009-0037 ===================================================================== 1. Summary: Updated curl packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1, 3, 4, and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 2.1 - i386 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 Red Hat Linux Advanced Workstation 2.1 - ia64 3. Description: cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. David Kierznowski discovered a flaw in libcurl where it would not differentiate between different target URLs when handling automatic redirects. This caused libcurl to follow any new URL that it understood, including the "file://" URL type. This could allow a remote server to force a local libcurl-using application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2009-0037) Note: Applications using libcurl that are expected to follow redirects to "file://" protocol must now explicitly call curl_easy_setopt(3) and set the newly introduced CURLOPT_REDIR_PROTOCOLS option as required. cURL users should upgrade to these updated packages, which contain backported patches to correct these issues. All running applications using libcurl must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 485271 - CVE-2009-0037 curl: local file access via unsafe redirects 6. Package List: Red Hat Enterprise Linux AS (Advanced Server) version 2.1 : Source: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/curl-7.8-3.rhel2.src.rpm i386: curl-7.8-3.rhel2.i386.rpm curl-devel-7.8-3.rhel2.i386.rpm ia64: curl-7.8-3.rhel2.ia64.rpm curl-devel-7.8-3.rhel2.ia64.rpm Red Hat Linux Advanced Workstation 2.1: Source: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/curl-7.8-3.rhel2.src.rpm ia64: curl-7.8-3.rhel2.ia64.rpm curl-devel-7.8-3.rhel2.ia64.rpm Red Hat Enterprise Linux ES version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/curl-7.8-3.rhel2.src.rpm i386: curl-7.8-3.rhel2.i386.rpm curl-devel-7.8-3.rhel2.i386.rpm Red Hat Enterprise Linux WS version 2.1: Source: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/curl-7.8-3.rhel2.src.rpm i386: curl-7.8-3.rhel2.i386.rpm curl-devel-7.8-3.rhel2.i386.rpm Red Hat Enterprise Linux AS version 3: Source: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/curl-7.10.6-9.rhel3.src.rpm i386: curl-7.10.6-9.rhel3.i386.rpm curl-debuginfo-7.10.6-9.rhel3.i386.rpm curl-devel-7.10.6-9.rhel3.i386.rpm ia64: curl-7.10.6-9.rhel3.i386.rpm curl-7.10.6-9.rhel3.ia64.rpm curl-debuginfo-7.10.6-9.rhel3.i386.rpm curl-debuginfo-7.10.6-9.rhel3.ia64.rpm curl-devel-7.10.6-9.rhel3.ia64.rpm ppc: curl-7.10.6-9.rhel3.ppc.rpm curl-7.10.6-9.rhel3.ppc64.rpm curl-debuginfo-7.10.6-9.rhel3.ppc.rpm curl-debuginfo-7.10.6-9.rhel3.ppc64.rpm curl-devel-7.10.6-9.rhel3.ppc.rpm s390: curl-7.10.6-9.rhel3.s390.rpm curl-debuginfo-7.10.6-9.rhel3.s390.rpm curl-devel-7.10.6-9.rhel3.s390.rpm s390x: curl-7.10.6-9.rhel3.s390.rpm curl-7.10.6-9.rhel3.s390x.rpm curl-debuginfo-7.10.6-9.rhel3.s390.rpm curl-debuginfo-7.10.6-9.rhel3.s390x.rpm curl-devel-7.10.6-9.rhel3.s390x.rpm x86_64: curl-7.10.6-9.rhel3.i386.rpm curl-7.10.6-9.rhel3.x86_64.rpm curl-debuginfo-7.10.6-9.rhel3.i386.rpm curl-debuginfo-7.10.6-9.rhel3.x86_64.rpm curl-devel-7.10.6-9.rhel3.x86_64.rpm Red Hat Desktop version 3: Source: ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/curl-7.10.6-9.rhel3.src.rpm i386: curl-7.10.6-9.rhel3.i386.rpm curl-debuginfo-7.10.6-9.rhel3.i386.rpm curl-devel-7.10.6-9.rhel3.i386.rpm x86_64: curl-7.10.6-9.rhel3.i386.rpm curl-7.10.6-9.rhel3.x86_64.rpm curl-debuginfo-7.10.6-9.rhel3.i386.rpm curl-debuginfo-7.10.6-9.rhel3.x86_64.rpm curl-devel-7.10.6-9.rhel3.x86_64.rpm Red Hat Enterprise Linux ES version 3: Source: ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/curl-7.10.6-9.rhel3.src.rpm i386: curl-7.10.6-9.rhel3.i386.rpm curl-debuginfo-7.10.6-9.rhel3.i386.rpm curl-devel-7.10.6-9.rhel3.i386.rpm ia64: curl-7.10.6-9.rhel3.i386.rpm curl-7.10.6-9.rhel3.ia64.rpm curl-debuginfo-7.10.6-9.rhel3.i386.rpm curl-debuginfo-7.10.6-9.rhel3.ia64.rpm curl-devel-7.10.6-9.rhel3.ia64.rpm x86_64: curl-7.10.6-9.rhel3.i386.rpm curl-7.10.6-9.rhel3.x86_64.rpm curl-debuginfo-7.10.6-9.rhel3.i386.rpm curl-debuginfo-7.10.6-9.rhel3.x86_64.rpm curl-devel-7.10.6-9.rhel3.x86_64.rpm Red Hat Enterprise Linux WS version 3: Source: ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/curl-7.10.6-9.rhel3.src.rpm i386: curl-7.10.6-9.rhel3.i386.rpm curl-debuginfo-7.10.6-9.rhel3.i386.rpm curl-devel-7.10.6-9.rhel3.i386.rpm ia64: curl-7.10.6-9.rhel3.i386.rpm curl-7.10.6-9.rhel3.ia64.rpm curl-debuginfo-7.10.6-9.rhel3.i386.rpm curl-debuginfo-7.10.6-9.rhel3.ia64.rpm curl-devel-7.10.6-9.rhel3.ia64.rpm x86_64: curl-7.10.6-9.rhel3.i386.rpm curl-7.10.6-9.rhel3.x86_64.rpm curl-debuginfo-7.10.6-9.rhel3.i386.rpm curl-debuginfo-7.10.6-9.rhel3.x86_64.rpm curl-devel-7.10.6-9.rhel3.x86_64.rpm Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/curl-7.12.1-11.1.el4_7.1.src.rpm i386: curl-7.12.1-11.1.el4_7.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.i386.rpm curl-devel-7.12.1-11.1.el4_7.1.i386.rpm ia64: curl-7.12.1-11.1.el4_7.1.i386.rpm curl-7.12.1-11.1.el4_7.1.ia64.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.ia64.rpm curl-devel-7.12.1-11.1.el4_7.1.ia64.rpm ppc: curl-7.12.1-11.1.el4_7.1.ppc.rpm curl-7.12.1-11.1.el4_7.1.ppc64.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.ppc.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.ppc64.rpm curl-devel-7.12.1-11.1.el4_7.1.ppc.rpm s390: curl-7.12.1-11.1.el4_7.1.s390.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.s390.rpm curl-devel-7.12.1-11.1.el4_7.1.s390.rpm s390x: curl-7.12.1-11.1.el4_7.1.s390.rpm curl-7.12.1-11.1.el4_7.1.s390x.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.s390.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.s390x.rpm curl-devel-7.12.1-11.1.el4_7.1.s390x.rpm x86_64: curl-7.12.1-11.1.el4_7.1.i386.rpm curl-7.12.1-11.1.el4_7.1.x86_64.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.x86_64.rpm curl-devel-7.12.1-11.1.el4_7.1.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/curl-7.12.1-11.1.el4_7.1.src.rpm i386: curl-7.12.1-11.1.el4_7.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.i386.rpm curl-devel-7.12.1-11.1.el4_7.1.i386.rpm x86_64: curl-7.12.1-11.1.el4_7.1.i386.rpm curl-7.12.1-11.1.el4_7.1.x86_64.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.x86_64.rpm curl-devel-7.12.1-11.1.el4_7.1.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/curl-7.12.1-11.1.el4_7.1.src.rpm i386: curl-7.12.1-11.1.el4_7.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.i386.rpm curl-devel-7.12.1-11.1.el4_7.1.i386.rpm ia64: curl-7.12.1-11.1.el4_7.1.i386.rpm curl-7.12.1-11.1.el4_7.1.ia64.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.ia64.rpm curl-devel-7.12.1-11.1.el4_7.1.ia64.rpm x86_64: curl-7.12.1-11.1.el4_7.1.i386.rpm curl-7.12.1-11.1.el4_7.1.x86_64.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.x86_64.rpm curl-devel-7.12.1-11.1.el4_7.1.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/curl-7.12.1-11.1.el4_7.1.src.rpm i386: curl-7.12.1-11.1.el4_7.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.i386.rpm curl-devel-7.12.1-11.1.el4_7.1.i386.rpm ia64: curl-7.12.1-11.1.el4_7.1.i386.rpm curl-7.12.1-11.1.el4_7.1.ia64.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.ia64.rpm curl-devel-7.12.1-11.1.el4_7.1.ia64.rpm x86_64: curl-7.12.1-11.1.el4_7.1.i386.rpm curl-7.12.1-11.1.el4_7.1.x86_64.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.i386.rpm curl-debuginfo-7.12.1-11.1.el4_7.1.x86_64.rpm curl-devel-7.12.1-11.1.el4_7.1.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/curl-7.15.5-2.1.el5_3.4.src.rpm i386: curl-7.15.5-2.1.el5_3.4.i386.rpm curl-debuginfo-7.15.5-2.1.el5_3.4.i386.rpm x86_64: curl-7.15.5-2.1.el5_3.4.i386.rpm curl-7.15.5-2.1.el5_3.4.x86_64.rpm curl-debuginfo-7.15.5-2.1.el5_3.4.i386.rpm curl-debuginfo-7.15.5-2.1.el5_3.4.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/curl-7.15.5-2.1.el5_3.4.src.rpm i386: curl-debuginfo-7.15.5-2.1.el5_3.4.i386.rpm curl-devel-7.15.5-2.1.el5_3.4.i386.rpm x86_64: curl-debuginfo-7.15.5-2.1.el5_3.4.i386.rpm curl-debuginfo-7.15.5-2.1.el5_3.4.x86_64.rpm curl-devel-7.15.5-2.1.el5_3.4.i386.rpm curl-devel-7.15.5-2.1.el5_3.4.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/curl-7.15.5-2.1.el5_3.4.src.rpm i386: curl-7.15.5-2.1.el5_3.4.i386.rpm curl-debuginfo-7.15.5-2.1.el5_3.4.i386.rpm curl-devel-7.15.5-2.1.el5_3.4.i386.rpm ia64: curl-7.15.5-2.1.el5_3.4.ia64.rpm curl-debuginfo-7.15.5-2.1.el5_3.4.ia64.rpm curl-devel-7.15.5-2.1.el5_3.4.ia64.rpm ppc: curl-7.15.5-2.1.el5_3.4.ppc.rpm curl-7.15.5-2.1.el5_3.4.ppc64.rpm curl-debuginfo-7.15.5-2.1.el5_3.4.ppc.rpm curl-debuginfo-7.15.5-2.1.el5_3.4.ppc64.rpm curl-devel-7.15.5-2.1.el5_3.4.ppc.rpm curl-devel-7.15.5-2.1.el5_3.4.ppc64.rpm s390x: curl-7.15.5-2.1.el5_3.4.s390.rpm curl-7.15.5-2.1.el5_3.4.s390x.rpm curl-debuginfo-7.15.5-2.1.el5_3.4.s390.rpm curl-debuginfo-7.15.5-2.1.el5_3.4.s390x.rpm curl-devel-7.15.5-2.1.el5_3.4.s390.rpm curl-devel-7.15.5-2.1.el5_3.4.s390x.rpm x86_64: curl-7.15.5-2.1.el5_3.4.i386.rpm curl-7.15.5-2.1.el5_3.4.x86_64.rpm curl-debuginfo-7.15.5-2.1.el5_3.4.i386.rpm curl-debuginfo-7.15.5-2.1.el5_3.4.x86_64.rpm curl-devel-7.15.5-2.1.el5_3.4.i386.rpm curl-devel-7.15.5-2.1.el5_3.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037 http://www.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFJwm7vXlSAg2UNWIIRAroFAKCKDeunP0rbrBA4fvgQX+CS2i3rPACff22Y ILjVK6SGd0jni2ahCuMeuUk= =BV0F -----END PGP SIGNATURE----- -- Share this post Link to post
