Scientific Linux: CVE-2011-2192 Moderate: curl Credential Delegation Issue

Date: Tue, 5 Jul 2011 16:30:45 -0500
Reply-To: Troy Dawson 
Sender: Security Errata for Scientific Linux
 
From: Troy Dawson 
Subject: Security ERRATA Moderate: curl on SL4.x, SL5.x, SL6.x i386/x86_64
Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it."
 
MIME-Version: 1.0

Synopsis:	Moderate: curl security update
Issue date:	2011-07-05
CVE Names:	CVE-2011-2192

cURL provides the libcurl library and a command line tool for
downloading files from servers using various protocols, including HTTP,
FTP, and LDAP.

It was found that cURL always performed credential delegation when
authenticating with GSSAPI. A rogue server could use this flaw to obtain
the client's credentials and impersonate that client to other servers
that are using GSSAPI. (CVE-2011-2192)

All running applications using libcurl must be restarted for the update
to take effect.

SL 4.x

 SRPMS:
curl-7.12.1-17.el4.src.rpm
 i386:
curl-7.12.1-17.el4.i386.rpm
curl-devel-7.12.1-17.el4.i386.rpm
 x86_64:
curl-7.12.1-17.el4.i386.rpm
curl-7.12.1-17.el4.x86_64.rpm
curl-devel-7.12.1-17.el4.x86_64.rpm

SL 5.x

 SRPMS:
curl-7.15.5-9.el5_6.3.src.rpm
 i386:
curl-7.15.5-9.el5_6.3.i386.rpm
curl-devel-7.15.5-9.el5_6.3.i386.rpm
 x86_64:
curl-7.15.5-9.el5_6.3.i386.rpm
curl-7.15.5-9.el5_6.3.x86_64.rpm
curl-devel-7.15.5-9.el5_6.3.i386.rpm
curl-devel-7.15.5-9.el5_6.3.x86_64.rpm

SL 6.x

 SRPMS:
curl-7.19.7-26.el6_1.1.src.rpm
 i386:
curl-7.19.7-26.el6_1.1.i686.rpm
libcurl-7.19.7-26.el6_1.1.i686.rpm
libcurl-devel-7.19.7-26.el6_1.1.i686.rpm
 x86_64:
curl-7.19.7-26.el6_1.1.x86_64.rpm
libcurl-7.19.7-26.el6_1.1.i686.rpm
libcurl-7.19.7-26.el6_1.1.x86_64.rpm
libcurl-devel-7.19.7-26.el6_1.1.i686.rpm
libcurl-devel-7.19.7-26.el6_1.1.x86_64.rpm

- Scientific Linux Development Team