|Category:||Red Hat Local Security Checks|
|Title:||RedHat Security Advisory RHSA-2009:0341|
The remote host is missing updates announced in
cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict
servers, using any of the supported protocols. cURL is designed to work
without user interaction or any kind of interactivity.
David Kierznowski discovered a flaw in libcurl where it would not
differentiate between different target URLs when handling automatic
redirects. This caused libcurl to follow any new URL that it understood,
including the file:// URL type. This could allow a remote server to force
a local libcurl-using application to read a local file instead of the
remote one, possibly exposing local files that were not meant to be
Note: Applications using libcurl that are expected to follow redirects to
file:// protocol must now explicitly call curl_easy_setopt(3) and set the
newly introduced CURLOPT_REDIR_PROTOCOLS option as required.
cURL users should upgrade to these updated packages, which contain
backported patches to correct these issues. All running applications using
libcurl must be restarted for the update to take effect.
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date
Common Vulnerability Exposure (CVE) ID: CVE-2009-0037|
BugTraq ID: 33962
Bugtraq: 20090312 rPSA-2009-0042-1 curl (Google Search)
Bugtraq: 20090711 VMSA-2009-0009 ESX Service Console updates for udev, sudo, and curl (Google Search)
Debian Security Information: DSA-1738 (Google Search)
SuSE Security Announcement: SUSE-SR:2009:006 (Google Search)
XForce ISS Database: curl-location-security-bypass(49030)
|Copyright||Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com|
|This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.