MDVSA-2012:058

Package name

curl

Date

2012-04-13

Advisory ID

MDVSA-2012:058

Affected versions

2011 i586 , 2011 x86_64 , 2010.1 i586 , 2010.1 x86_64

Problem description

Multiple vulnerabilities has been found and corrected in curl:

curl is vulnerable to a SSL CBC IV vulnerability when built to use
OpenSSL for the SSL/TLS layer. A work-around has been added to mitigate
the problem (CVE-2011-3389).

curl is vulnerable to a data injection attack for certain protocols
through control characters embedded or percent-encoded in URLs
(CVE-2012-0036).

The updated packages have been patched to correct these issues.

Updated packages

2011 i586

 6445b9b47ca90ff11912a6793a2f4fb9  2011/i586/curl-7.21.7-1.1-mdv2011.0.i586.rpm
 d0b92983656b8629903f9bf2bbfbc43b  2011/i586/curl-examples-7.21.7-1.1-mdv2011.0.i586.rpm
 2bc028afacef4e47af3597d71b594fd7  2011/i586/libcurl4-7.21.7-1.1-mdv2011.0.i586.rpm
 28dc517658b4b5e0d9e2204da6b2d603  2011/i586/libcurl-devel-7.21.7-1.1-mdv2011.0.i586.rpm 
 2194276240c12c866c31fba743ea9ee4  2011/SRPMS/curl-7.21.7-1.1.src.rpm

2011 x86_64

 8566de165a109b88c211731f84d5279a  2011/x86_64/curl-7.21.7-1.1-mdv2011.0.x86_64.rpm
 1a9dcb47bb78ebcff2c2242be198c59f  2011/x86_64/curl-examples-7.21.7-1.1-mdv2011.0.x86_64.rpm
 9b75a29092361b8f7c9d6ffebb6cec48  2011/x86_64/lib64curl4-7.21.7-1.1-mdv2011.0.x86_64.rpm
 82b79d8ba65b018eb34d35ad3a1cb643  2011/x86_64/lib64curl-devel-7.21.7-1.1-mdv2011.0.x86_64.rpm 
 2194276240c12c866c31fba743ea9ee4  2011/SRPMS/curl-7.21.7-1.1.src.rpm

2010.1 i586

 2bdc2242df0233c3e0b3b259d772decc  2010.1/i586/curl-7.20.1-2.2mdv2010.2.i586.rpm
 514a3c248b06b1003ca879a2f6836fd6  2010.1/i586/curl-examples-7.20.1-2.2mdv2010.2.i586.rpm
 94af6abc58dc950e22d109f054ec970b  2010.1/i586/libcurl4-7.20.1-2.2mdv2010.2.i586.rpm
 12d9e5f39c9617da8a0e795820e7b4d5  2010.1/i586/libcurl-devel-7.20.1-2.2mdv2010.2.i586.rpm 
 4a4a0081446bd7b7ea0ca5c2597af8d4  2010.1/SRPMS/curl-7.20.1-2.2mdv2010.2.src.rpm

2010.1 x86_64

 0319e4b64c85f421fd234aa60e795e0a  2010.1/x86_64/curl-7.20.1-2.2mdv2010.2.x86_64.rpm
 e27cc075785a8920d1ef3e3cd7550b63  2010.1/x86_64/curl-examples-7.20.1-2.2mdv2010.2.x86_64.rpm
 6bc1a150e02f3d6315e2a69c106aedd8  2010.1/x86_64/lib64curl4-7.20.1-2.2mdv2010.2.x86_64.rpm
 834d8fa9140bbc8e157f897a4dda3567  2010.1/x86_64/lib64curl-devel-7.20.1-2.2mdv2010.2.x86_64.rpm 
 4a4a0081446bd7b7ea0ca5c2597af8d4  2010.1/SRPMS/curl-7.20.1-2.2mdv2010.2.src.rpm

References

• http://curl.haxx.se/docs/manpage.html#--ssl-allow-beast
• http://curl.haxx.se/libcurl/c/curl_easy_setopt.html#CURLOPTSSLOPTIONS
• http://thread.gmane.org/gmane.comp.web.curl.library/34659
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0036
• http://curl.haxx.se/docs/adv_20120124B.html
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
• http://curl.haxx.se/docs/adv_20120124.html