-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:116 http://www.mandriva.com/security/ _______________________________________________________________________ Package : curl Date : July 22, 2011 Affected: 2009.0, 2010.1, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability was discovered and corrected in curl: The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests (CVE-2011-2192). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2192 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: efa7576a48725c44f2f53eb42e9f5a24 2009.0/i586/curl-7.19.0-2.5mdv2009.0.i586.rpm 51928c0f801f157351f3843f794c2ec9 2009.0/i586/curl-examples-7.19.0-2.5mdv2009.0.i586.rpm 3e8584e39fc7946ffdc4ddd7c0a23b78 2009.0/i586/libcurl4-7.19.0-2.5mdv2009.0.i586.rpm 5b48546182e7323b1b95e3b084a63d1e 2009.0/i586/libcurl-devel-7.19.0-2.5mdv2009.0.i586.rpm e2ba5684e62b6ad3ed4e2ed8fe974a37 2009.0/SRPMS/curl-7.19.0-2.5mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: fd13f40cfeba7fab958fdcc3eec98f9c 2009.0/x86_64/curl-7.19.0-2.5mdv2009.0.x86_64.rpm 8078cbc6bdb189e5c105d0eef53f3ad1 2009.0/x86_64/curl-examples-7.19.0-2.5mdv2009.0.x86_64.rpm e319ecc8e70c0d222ec021c6bf2b884e 2009.0/x86_64/lib64curl4-7.19.0-2.5mdv2009.0.x86_64.rpm d43e6b3b4caa23d483d4205c19a4127f 2009.0/x86_64/lib64curl-devel-7.19.0-2.5mdv2009.0.x86_64.rpm e2ba5684e62b6ad3ed4e2ed8fe974a37 2009.0/SRPMS/curl-7.19.0-2.5mdv2009.0.src.rpm Mandriva Linux 2010.1: 1f3c2a90fb01fcc2719bce3e9645c66b 2010.1/i586/curl-7.20.1-2.1mdv2010.2.i586.rpm b1c758033beb896b902fa0ba418756b3 2010.1/i586/curl-examples-7.20.1-2.1mdv2010.2.i586.rpm a8c2de51650c92a409aba918c15697b2 2010.1/i586/libcurl4-7.20.1-2.1mdv2010.2.i586.rpm 650e33c87271d5c4f2e5b698c8de972e 2010.1/i586/libcurl-devel-7.20.1-2.1mdv2010.2.i586.rpm 1488b217fbc0731d77e79540444b54a9 2010.1/SRPMS/curl-7.20.1-2.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: be7a877b6af363e470630d4edd1b65ab 2010.1/x86_64/curl-7.20.1-2.1mdv2010.2.x86_64.rpm fdea83447b30e83229eda4c4dd9e3eaf 2010.1/x86_64/curl-examples-7.20.1-2.1mdv2010.2.x86_64.rpm 47eb4d21393bc10329bdcc7fed3105ec 2010.1/x86_64/lib64curl4-7.20.1-2.1mdv2010.2.x86_64.rpm d074056b2ec8e0af34d6fb63de9e9259 2010.1/x86_64/lib64curl-devel-7.20.1-2.1mdv2010.2.x86_64.rpm 1488b217fbc0731d77e79540444b54a9 2010.1/SRPMS/curl-7.20.1-2.1mdv2010.2.src.rpm Mandriva Enterprise Server 5: c1ca16b888b0873a9dfe7b7d62922b7d mes5/i586/curl-7.19.0-2.5mdvmes5.2.i586.rpm a00a332d35f477c84e9d92fb52f1ec49 mes5/i586/curl-examples-7.19.0-2.5mdvmes5.2.i586.rpm de1a06a70f3850d1fe4fdf62e355dce1 mes5/i586/libcurl4-7.19.0-2.5mdvmes5.2.i586.rpm 8a1797aca267e5eec1b5ff5da16527a6 mes5/i586/libcurl-devel-7.19.0-2.5mdvmes5.2.i586.rpm febf373948a2a1caae63d4c0645483e6 mes5/SRPMS/curl-7.19.0-2.5mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 1a4bedbbcc5e6c5f58f44bbd70818266 mes5/x86_64/curl-7.19.0-2.5mdvmes5.2.x86_64.rpm e24a7d74b4967bd4575ca66a09c5c2bf mes5/x86_64/curl-examples-7.19.0-2.5mdvmes5.2.x86_64.rpm 8adb8518393e336ba74ae0ce40ec0ac5 mes5/x86_64/lib64curl4-7.19.0-2.5mdvmes5.2.x86_64.rpm 809213447e1ef7e785960ca354396a18 mes5/x86_64/lib64curl-devel-7.19.0-2.5mdvmes5.2.x86_64.rpm febf373948a2a1caae63d4c0645483e6 mes5/SRPMS/curl-7.19.0-2.5mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFOKU19mqjQ0CJFipgRAv5IAJ0UtAC7pqlCpuf8qFwB9X+1wdi9iQCg5SJE hN4gsacKVHHLF60rcCZldDY= =3rAe -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/