-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:151 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : curl Date : April 26, 2013 Affected: Business Server 1.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Updated curl packages fix security vulnerability: libcurl is vulnerable to a cookie leak vulnerability when doing requests across domains with matching tails. This vulnerability can be used to hijack sessions in targetted attacks since registering domains using a known domain's name as an ending is trivial (CVE-2013-1944). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0121 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: f0521b89d652d1c45bfeff5f9aea5af7 mes5/i586/curl-7.19.0-2.6mdvmes5.2.i586.rpm daf9daaf4e61d1febab693f970fa52a8 mes5/i586/curl-examples-7.19.0-2.6mdvmes5.2.i586.rpm 077a55e5c750e32b8859174778c779db mes5/i586/libcurl4-7.19.0-2.6mdvmes5.2.i586.rpm 1c893a591659bb28d4fdf8278ce615af mes5/i586/libcurl-devel-7.19.0-2.6mdvmes5.2.i586.rpm d5b1ced5df5a5c8fc98db99abd8bbc0b mes5/SRPMS/curl-7.19.0-2.6mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: cedf0d881fdb2c36a1884bc5fe0efb63 mes5/x86_64/curl-7.19.0-2.6mdvmes5.2.x86_64.rpm 21a7b7ade9a334525bbe0725ba9bfa14 mes5/x86_64/curl-examples-7.19.0-2.6mdvmes5.2.x86_64.rpm 09ef67ca7acd8b5e86ffd53dd9944b92 mes5/x86_64/lib64curl4-7.19.0-2.6mdvmes5.2.x86_64.rpm 6470a7442aa71657fa22b137c2870e73 mes5/x86_64/lib64curl-devel-7.19.0-2.6mdvmes5.2.x86_64.rpm d5b1ced5df5a5c8fc98db99abd8bbc0b mes5/SRPMS/curl-7.19.0-2.6mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 539dc5e1ada6bac459d752af6edb47b3 mbs1/x86_64/curl-7.24.0-2.1.mbs1.x86_64.rpm d009466416305b1b6c2a1306601df21c mbs1/x86_64/curl-examples-7.24.0-2.1.mbs1.x86_64.rpm e5144a110a6097bcd6b33e34f5158d73 mbs1/x86_64/lib64curl4-7.24.0-2.1.mbs1.x86_64.rpm 971ceabe6e9df96a446f582d17680c97 mbs1/x86_64/lib64curl-devel-7.24.0-2.1.mbs1.x86_64.rpm 32a96e2c01d201c50372c18e1fd6204a mbs1/SRPMS/curl-7.24.0-2.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFReh9XmqjQ0CJFipgRAt7JAKDvXle3q/mbz//KGUkbHHK4r/OzngCePZZm TLRyRSJBiJSzfOKmTVLufgc= =arVW -----END PGP SIGNATURE-----