-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:069 http://www.mandriva.com/security/ _______________________________________________________________________ Package : curl Date : March 6, 2009 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: A security vulnerability has been identified and fixed in curl, which could allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL (CVE-2009-0037). The updated packages have been patched to prevent this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 67e1fb1335abc2721ce040ce5ebffcb1 2008.0/i586/curl-7.16.4-2.1mdv2008.0.i586.rpm 605b696753bcaba3f7bca0080e454a03 2008.0/i586/libcurl4-7.16.4-2.1mdv2008.0.i586.rpm 0d765f46a89a73af026ffcd5ab0bf375 2008.0/i586/libcurl-devel-7.16.4-2.1mdv2008.0.i586.rpm 5b41fd64ace9251752278ab51c485283 2008.0/SRPMS/curl-7.16.4-2.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: cbb9fafd973426a0a572ed7c0c58a556 2008.0/x86_64/curl-7.16.4-2.1mdv2008.0.x86_64.rpm cd427c136cf760b06ec4f8530f0c6d6d 2008.0/x86_64/lib64curl4-7.16.4-2.1mdv2008.0.x86_64.rpm 5e5fabf4303b50f68ea2ea3ca6c0819e 2008.0/x86_64/lib64curl-devel-7.16.4-2.1mdv2008.0.x86_64.rpm 5b41fd64ace9251752278ab51c485283 2008.0/SRPMS/curl-7.16.4-2.1mdv2008.0.src.rpm Mandriva Linux 2008.1: 372d19020afefeef9d9c076fdbcfe927 2008.1/i586/curl-7.18.0-1.1mdv2008.1.i586.rpm 8bc3d07c59a1ba1da24ecfe7ecea99ba 2008.1/i586/curl-examples-7.18.0-1.1mdv2008.1.i586.rpm 691fd3f6beb73d0c273ba22dd8edcf84 2008.1/i586/libcurl4-7.18.0-1.1mdv2008.1.i586.rpm f40887d0d032930f77486e9e41360ad6 2008.1/i586/libcurl-devel-7.18.0-1.1mdv2008.1.i586.rpm e9648a229edfb28f7fa366c833517573 2008.1/SRPMS/curl-7.18.0-1.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 708a7b7555fc5de3fa5fe984aa2f5a62 2008.1/x86_64/curl-7.18.0-1.1mdv2008.1.x86_64.rpm 54c16d007a21e88af81907c60c3846de 2008.1/x86_64/curl-examples-7.18.0-1.1mdv2008.1.x86_64.rpm e01f05c2973809b42dbbc86ecd42845b 2008.1/x86_64/lib64curl4-7.18.0-1.1mdv2008.1.x86_64.rpm c09950e7fcc52961f95c2aae7a83af39 2008.1/x86_64/lib64curl-devel-7.18.0-1.1mdv2008.1.x86_64.rpm e9648a229edfb28f7fa366c833517573 2008.1/SRPMS/curl-7.18.0-1.1mdv2008.1.src.rpm Mandriva Linux 2009.0: 12514e678a4b04123f00bc422fcf9a3a 2009.0/i586/curl-7.19.0-2.2mdv2009.0.i586.rpm 4a250c02f083f2729cfe7d23c903a386 2009.0/i586/curl-examples-7.19.0-2.2mdv2009.0.i586.rpm f6b909859eec695f753ddba2d716b5a2 2009.0/i586/libcurl4-7.19.0-2.2mdv2009.0.i586.rpm e5a953b568c4b8ccebe66a300885747d 2009.0/i586/libcurl-devel-7.19.0-2.2mdv2009.0.i586.rpm ebf22a3c6aa9e18847ec6c3311beb64b 2009.0/SRPMS/curl-7.19.0-2.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: e799091f80c2c44b629fc144b48effa1 2009.0/x86_64/curl-7.19.0-2.2mdv2009.0.x86_64.rpm 227315c6aefc62e9a1dd7750a3b0d81a 2009.0/x86_64/curl-examples-7.19.0-2.2mdv2009.0.x86_64.rpm 69c5335dcbe6f08fc67582bb5862ed55 2009.0/x86_64/lib64curl4-7.19.0-2.2mdv2009.0.x86_64.rpm f01ec9b830763e5f01d799da687ec605 2009.0/x86_64/lib64curl-devel-7.19.0-2.2mdv2009.0.x86_64.rpm ebf22a3c6aa9e18847ec6c3311beb64b 2009.0/SRPMS/curl-7.19.0-2.2mdv2009.0.src.rpm Corporate 3.0: 4df533f45f46c2891c87dcc108aa05e6 corporate/3.0/i586/curl-7.11.0-2.3.C30mdk.i586.rpm bbb9558c954aa6b881db878e3cb5e340 corporate/3.0/i586/libcurl2-7.11.0-2.3.C30mdk.i586.rpm 3373382bebf28906bcb2c8a00e129ce0 corporate/3.0/i586/libcurl2-devel-7.11.0-2.3.C30mdk.i586.rpm 45d58f4c743fd8cd0b44836ade158c85 corporate/3.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm Corporate 3.0/X86_64: ca7ddd09a8a21b18a8a7ab32ab49516c corporate/3.0/x86_64/curl-7.11.0-2.3.C30mdk.x86_64.rpm 3323f2165b8f0df55263222ca8bf1f0a corporate/3.0/x86_64/lib64curl2-7.11.0-2.3.C30mdk.x86_64.rpm 3ea5fa46f598f2008296781c5b613e7f corporate/3.0/x86_64/lib64curl2-devel-7.11.0-2.3.C30mdk.x86_64.rpm 45d58f4c743fd8cd0b44836ade158c85 corporate/3.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm Corporate 4.0: 17241516d56baf7ba941065eed496ff5 corporate/4.0/i586/curl-7.14.0-2.3.20060mdk.i586.rpm 9fbef738cadfc9158b3eec6cfaf66507 corporate/4.0/i586/libcurl3-7.14.0-2.3.20060mdk.i586.rpm 0f934115755545407f79eada30feda35 corporate/4.0/i586/libcurl3-devel-7.14.0-2.3.20060mdk.i586.rpm 132009109cdf739189bc194c222080dc corporate/4.0/SRPMS/curl-7.14.0-2.3.20060mdk.src.rpm Corporate 4.0/X86_64: 367d03b3f185b9ad37fd5c28e0ea956b corporate/4.0/x86_64/curl-7.14.0-2.3.20060mdk.x86_64.rpm 11353510721cc81b4d47defcdff0c655 corporate/4.0/x86_64/lib64curl3-7.14.0-2.3.20060mdk.x86_64.rpm 4b0f21ce51e858915ba7a403365d8c3b corporate/4.0/x86_64/lib64curl3-devel-7.14.0-2.3.20060mdk.x86_64.rpm 132009109cdf739189bc194c222080dc corporate/4.0/SRPMS/curl-7.14.0-2.3.20060mdk.src.rpm Multi Network Firewall 2.0: 2319fdfd00d3cc01d7c219f7fafc2e4d mnf/2.0/i586/curl-7.11.0-2.3.C30mdk.i586.rpm a14ae20d122b773438335669b258c7fa mnf/2.0/i586/libcurl2-7.11.0-2.3.C30mdk.i586.rpm 6b6235adcac53c26ae2f96c824db5fe7 mnf/2.0/i586/libcurl2-devel-7.11.0-2.3.C30mdk.i586.rpm bf370dbbaed4785446495eb94d4d8c39 mnf/2.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJsZacmqjQ0CJFipgRAvzaAKDcbRIdXyZINwGJzH0leUmSPF2OoACfZH/6 eN2UMLpTDvoCyXXeRz3oDpc= =37RE -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/