Support / Sécurité / Annonces de sécurité / Multi Network Firewall 2.0 / MDVSA-2009:069

Nom du paquet: curl
Date: 2009-03-06
Advisory ID: MDVSA-2009:069
Affected versions: 2009.0 x86_64 , CS4.0 x86_64 , MNF2.0 i586 , 2008.0 i586 , 2009.0 i586 , CS3.0 x86_64 , 2008.0 x86_64 , CS3.0 i586 , 2008.1 x86_64 , 2008.1 i586 , CS4.0 i586

Problem description

A security vulnerability has been identified and fixed in curl, which
could allow remote HTTP servers to (1) trigger arbitrary requests to
intranet servers, (2) read or overwrite arbitrary files via a redirect
to a file: URL, or (3) execute arbitrary commands via a redirect to
an scp: URL (CVE-2009-0037).

The updated packages have been patched to prevent this.

Updated packages

2009.0 x86_64

 e799091f80c2c44b629fc144b48effa1  2009.0/x86_64/curl-7.19.0-2.2mdv2009.0.x86_64.rpm
 227315c6aefc62e9a1dd7750a3b0d81a  2009.0/x86_64/curl-examples-7.19.0-2.2mdv2009.0.x86_64.rpm
 69c5335dcbe6f08fc67582bb5862ed55  2009.0/x86_64/lib64curl4-7.19.0-2.2mdv2009.0.x86_64.rpm
 f01ec9b830763e5f01d799da687ec605  2009.0/x86_64/lib64curl-devel-7.19.0-2.2mdv2009.0.x86_64.rpm 
 ebf22a3c6aa9e18847ec6c3311beb64b  2009.0/SRPMS/curl-7.19.0-2.2mdv2009.0.src.rpm

CS4.0 x86_64

 367d03b3f185b9ad37fd5c28e0ea956b  corporate/4.0/x86_64/curl-7.14.0-2.3.20060mdk.x86_64.rpm
 11353510721cc81b4d47defcdff0c655  corporate/4.0/x86_64/lib64curl3-7.14.0-2.3.20060mdk.x86_64.rpm
 4b0f21ce51e858915ba7a403365d8c3b  corporate/4.0/x86_64/lib64curl3-devel-7.14.0-2.3.20060mdk.x86_64.rpm 
 132009109cdf739189bc194c222080dc  corporate/4.0/SRPMS/curl-7.14.0-2.3.20060mdk.src.rpm

MNF2.0 i586

 2319fdfd00d3cc01d7c219f7fafc2e4d  mnf/2.0/i586/curl-7.11.0-2.3.C30mdk.i586.rpm
 a14ae20d122b773438335669b258c7fa  mnf/2.0/i586/libcurl2-7.11.0-2.3.C30mdk.i586.rpm
 6b6235adcac53c26ae2f96c824db5fe7  mnf/2.0/i586/libcurl2-devel-7.11.0-2.3.C30mdk.i586.rpm 
 bf370dbbaed4785446495eb94d4d8c39  mnf/2.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm

2008.0 i586

 67e1fb1335abc2721ce040ce5ebffcb1  2008.0/i586/curl-7.16.4-2.1mdv2008.0.i586.rpm
 605b696753bcaba3f7bca0080e454a03  2008.0/i586/libcurl4-7.16.4-2.1mdv2008.0.i586.rpm
 0d765f46a89a73af026ffcd5ab0bf375  2008.0/i586/libcurl-devel-7.16.4-2.1mdv2008.0.i586.rpm 
 5b41fd64ace9251752278ab51c485283  2008.0/SRPMS/curl-7.16.4-2.1mdv2008.0.src.rpm

2009.0 i586

 12514e678a4b04123f00bc422fcf9a3a  2009.0/i586/curl-7.19.0-2.2mdv2009.0.i586.rpm
 4a250c02f083f2729cfe7d23c903a386  2009.0/i586/curl-examples-7.19.0-2.2mdv2009.0.i586.rpm
 f6b909859eec695f753ddba2d716b5a2  2009.0/i586/libcurl4-7.19.0-2.2mdv2009.0.i586.rpm
 e5a953b568c4b8ccebe66a300885747d  2009.0/i586/libcurl-devel-7.19.0-2.2mdv2009.0.i586.rpm 
 ebf22a3c6aa9e18847ec6c3311beb64b  2009.0/SRPMS/curl-7.19.0-2.2mdv2009.0.src.rpm

CS3.0 x86_64

 ca7ddd09a8a21b18a8a7ab32ab49516c  corporate/3.0/x86_64/curl-7.11.0-2.3.C30mdk.x86_64.rpm
 3323f2165b8f0df55263222ca8bf1f0a  corporate/3.0/x86_64/lib64curl2-7.11.0-2.3.C30mdk.x86_64.rpm
 3ea5fa46f598f2008296781c5b613e7f  corporate/3.0/x86_64/lib64curl2-devel-7.11.0-2.3.C30mdk.x86_64.rpm 
 45d58f4c743fd8cd0b44836ade158c85  corporate/3.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm

2008.0 x86_64

 cbb9fafd973426a0a572ed7c0c58a556  2008.0/x86_64/curl-7.16.4-2.1mdv2008.0.x86_64.rpm
 cd427c136cf760b06ec4f8530f0c6d6d  2008.0/x86_64/lib64curl4-7.16.4-2.1mdv2008.0.x86_64.rpm
 5e5fabf4303b50f68ea2ea3ca6c0819e  2008.0/x86_64/lib64curl-devel-7.16.4-2.1mdv2008.0.x86_64.rpm 
 5b41fd64ace9251752278ab51c485283  2008.0/SRPMS/curl-7.16.4-2.1mdv2008.0.src.rpm

CS3.0 i586

 4df533f45f46c2891c87dcc108aa05e6  corporate/3.0/i586/curl-7.11.0-2.3.C30mdk.i586.rpm
 bbb9558c954aa6b881db878e3cb5e340  corporate/3.0/i586/libcurl2-7.11.0-2.3.C30mdk.i586.rpm
 3373382bebf28906bcb2c8a00e129ce0  corporate/3.0/i586/libcurl2-devel-7.11.0-2.3.C30mdk.i586.rpm 
 45d58f4c743fd8cd0b44836ade158c85  corporate/3.0/SRPMS/curl-7.11.0-2.3.C30mdk.src.rpm

2008.1 x86_64

 708a7b7555fc5de3fa5fe984aa2f5a62  2008.1/x86_64/curl-7.18.0-1.1mdv2008.1.x86_64.rpm
 54c16d007a21e88af81907c60c3846de  2008.1/x86_64/curl-examples-7.18.0-1.1mdv2008.1.x86_64.rpm
 e01f05c2973809b42dbbc86ecd42845b  2008.1/x86_64/lib64curl4-7.18.0-1.1mdv2008.1.x86_64.rpm
 c09950e7fcc52961f95c2aae7a83af39  2008.1/x86_64/lib64curl-devel-7.18.0-1.1mdv2008.1.x86_64.rpm 
 e9648a229edfb28f7fa366c833517573  2008.1/SRPMS/curl-7.18.0-1.1mdv2008.1.src.rpm

2008.1 i586

 372d19020afefeef9d9c076fdbcfe927  2008.1/i586/curl-7.18.0-1.1mdv2008.1.i586.rpm
 8bc3d07c59a1ba1da24ecfe7ecea99ba  2008.1/i586/curl-examples-7.18.0-1.1mdv2008.1.i586.rpm
 691fd3f6beb73d0c273ba22dd8edcf84  2008.1/i586/libcurl4-7.18.0-1.1mdv2008.1.i586.rpm
 f40887d0d032930f77486e9e41360ad6  2008.1/i586/libcurl-devel-7.18.0-1.1mdv2008.1.i586.rpm 
 e9648a229edfb28f7fa366c833517573  2008.1/SRPMS/curl-7.18.0-1.1mdv2008.1.src.rpm

CS4.0 i586

 17241516d56baf7ba941065eed496ff5  corporate/4.0/i586/curl-7.14.0-2.3.20060mdk.i586.rpm
 9fbef738cadfc9158b3eec6cfaf66507  corporate/4.0/i586/libcurl3-7.14.0-2.3.20060mdk.i586.rpm
 0f934115755545407f79eada30feda35  corporate/4.0/i586/libcurl3-devel-7.14.0-2.3.20060mdk.i586.rpm 
 132009109cdf739189bc194c222080dc  corporate/4.0/SRPMS/curl-7.14.0-2.3.20060mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0037