Pri radu programskog alata Curl uočen je sigurnosni propust koji udaljenim napadačima omogućuje lažno predstavljanje te time ostvarivanje neovlaštenog pristupa sustavu.
Paket:
curl 7.x
Operacijski sustavi:
Mandriva Linux 2009.0, Mandriva Linux 2010.1, Mandriva Linux Enterprise Server 5.0
Kritičnost:
3.2
Problem:
pogreška u programskoj funkciji
Iskorištavanje:
udaljeno
Posljedica:
neovlašteni pristup sustavu
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-2192
Izvorni ID preporuke:
MDVSA-2011:116
Izvor:
Mandriva
Problem:
Sigurnosni problem odnosi se na neispravan rad funkcije "Curl_input_negotiate" u datoteci http_negotiate.c koja je uvijek provodila delegaciju ovlasti tijekom GSSAPI autentifikacije.
Posljedica:
Zlonamjerni, udaljeni napadač propust može iskoristiti za pokušaj lažnog predstavljanja i potom ostvarivanje neovlaštenog pristupa sustavu pomoću GSSAPI zahtjeva.
Rješenje:
Korisnicima se preporučuje instalacija najnovije inačice.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:116
http://www.mandriva.com/security/
_______________________________________________________________________
Package : curl
Date : July 22, 2011
Affected: 2009.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability was discovered and corrected in curl:
The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6
through 7.21.6, as used in curl and other products, always performs
credential delegation during GSSAPI authentication, which allows remote
servers to impersonate clients via GSSAPI requests (CVE-2011-2192).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2192
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
efa7576a48725c44f2f53eb42e9f5a24
2009.0/i586/curl-7.19.0-2.5mdv2009.0.i586.rpm
51928c0f801f157351f3843f794c2ec9
2009.0/i586/curl-examples-7.19.0-2.5mdv2009.0.i586.rpm
3e8584e39fc7946ffdc4ddd7c0a23b78
2009.0/i586/libcurl4-7.19.0-2.5mdv2009.0.i586.rpm
5b48546182e7323b1b95e3b084a63d1e
2009.0/i586/libcurl-devel-7.19.0-2.5mdv2009.0.i586.rpm
e2ba5684e62b6ad3ed4e2ed8fe974a37
2009.0/SRPMS/curl-7.19.0-2.5mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
fd13f40cfeba7fab958fdcc3eec98f9c
2009.0/x86_64/curl-7.19.0-2.5mdv2009.0.x86_64.rpm
8078cbc6bdb189e5c105d0eef53f3ad1
2009.0/x86_64/curl-examples-7.19.0-2.5mdv2009.0.x86_64.rpm
e319ecc8e70c0d222ec021c6bf2b884e
2009.0/x86_64/lib64curl4-7.19.0-2.5mdv2009.0.x86_64.rpm
d43e6b3b4caa23d483d4205c19a4127f
2009.0/x86_64/lib64curl-devel-7.19.0-2.5mdv2009.0.x86_64.rpm
e2ba5684e62b6ad3ed4e2ed8fe974a37
2009.0/SRPMS/curl-7.19.0-2.5mdv2009.0.src.rpm
Mandriva Linux 2010.1:
1f3c2a90fb01fcc2719bce3e9645c66b
2010.1/i586/curl-7.20.1-2.1mdv2010.2.i586.rpm
b1c758033beb896b902fa0ba418756b3
2010.1/i586/curl-examples-7.20.1-2.1mdv2010.2.i586.rpm
a8c2de51650c92a409aba918c15697b2
2010.1/i586/libcurl4-7.20.1-2.1mdv2010.2.i586.rpm
650e33c87271d5c4f2e5b698c8de972e
2010.1/i586/libcurl-devel-7.20.1-2.1mdv2010.2.i586.rpm
1488b217fbc0731d77e79540444b54a9
2010.1/SRPMS/curl-7.20.1-2.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
be7a877b6af363e470630d4edd1b65ab
2010.1/x86_64/curl-7.20.1-2.1mdv2010.2.x86_64.rpm
fdea83447b30e83229eda4c4dd9e3eaf
2010.1/x86_64/curl-examples-7.20.1-2.1mdv2010.2.x86_64.rpm
47eb4d21393bc10329bdcc7fed3105ec
2010.1/x86_64/lib64curl4-7.20.1-2.1mdv2010.2.x86_64.rpm
d074056b2ec8e0af34d6fb63de9e9259
2010.1/x86_64/lib64curl-devel-7.20.1-2.1mdv2010.2.x86_64.rpm
1488b217fbc0731d77e79540444b54a9
2010.1/SRPMS/curl-7.20.1-2.1mdv2010.2.src.rpm
Mandriva Enterprise Server 5:
c1ca16b888b0873a9dfe7b7d62922b7d mes5/i586/curl-7.19.0-2.5mdvmes5.2.i586.rpm
a00a332d35f477c84e9d92fb52f1ec49
mes5/i586/curl-examples-7.19.0-2.5mdvmes5.2.i586.rpm
de1a06a70f3850d1fe4fdf62e355dce1
mes5/i586/libcurl4-7.19.0-2.5mdvmes5.2.i586.rpm
8a1797aca267e5eec1b5ff5da16527a6
mes5/i586/libcurl-devel-7.19.0-2.5mdvmes5.2.i586.rpm
febf373948a2a1caae63d4c0645483e6 mes5/SRPMS/curl-7.19.0-2.5mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
1a4bedbbcc5e6c5f58f44bbd70818266
mes5/x86_64/curl-7.19.0-2.5mdvmes5.2.x86_64.rpm
e24a7d74b4967bd4575ca66a09c5c2bf
mes5/x86_64/curl-examples-7.19.0-2.5mdvmes5.2.x86_64.rpm
8adb8518393e336ba74ae0ce40ec0ac5
mes5/x86_64/lib64curl4-7.19.0-2.5mdvmes5.2.x86_64.rpm
809213447e1ef7e785960ca354396a18
mes5/x86_64/lib64curl-devel-7.19.0-2.5mdvmes5.2.x86_64.rpm
febf373948a2a1caae63d4c0645483e6 mes5/SRPMS/curl-7.19.0-2.5mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFOKU19mqjQ0CJFipgRAv5IAJ0UtAC7pqlCpuf8qFwB9X+1wdi9iQCg5SJE
hN4gsacKVHHLF60rcCZldDY=
=3rAe
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke