Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.63584
Category:Red Hat Local Security Checks
Title:RedHat Security Advisory RHSA-2009:0341
Summary:NOSUMMARY
Description:Description:
The remote host is missing updates announced in
advisory RHSA-2009:0341.

cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict
servers, using any of the supported protocols. cURL is designed to work
without user interaction or any kind of interactivity.

David Kierznowski discovered a flaw in libcurl where it would not
differentiate between different target URLs when handling automatic
redirects. This caused libcurl to follow any new URL that it understood,
including the file:// URL type. This could allow a remote server to force
a local libcurl-using application to read a local file instead of the
remote one, possibly exposing local files that were not meant to be
exposed. (CVE-2009-0037)

Note: Applications using libcurl that are expected to follow redirects to
file:// protocol must now explicitly call curl_easy_setopt(3) and set the
newly introduced CURLOPT_REDIR_PROTOCOLS option as required.

cURL users should upgrade to these updated packages, which contain
backported patches to correct these issues. All running applications using
libcurl must be restarted for the update to take effect.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

http://rhn.redhat.com/errata/RHSA-2009-0341.html
http://www.redhat.com/security/updates/classification/#moderate

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2009-0037
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
BugTraq ID: 33962
http://www.securityfocus.com/bid/33962
Bugtraq: 20090312 rPSA-2009-0042-1 curl (Google Search)
http://www.securityfocus.com/archive/1/501757/100/0/threaded
Bugtraq: 20090711 VMSA-2009-0009 ESX Service Console updates for udev, sudo, and curl (Google Search)
http://www.securityfocus.com/archive/1/504849/100/0/threaded
Debian Security Information: DSA-1738 (Google Search)
http://www.debian.org/security/2009/dsa-1738
http://security.gentoo.org/glsa/glsa-200903-21.xml
http://www.withdk.com/2009/03/03/curllibcurl-redirect-arbitrary-file-access/
http://www.withdk.com/archives/Libcurl_arbitrary_file_access.pdf
http://lists.vmware.com/pipermail/security-announce/2009/000060.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11054
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6074
http://www.redhat.com/support/errata/RHSA-2009-0341.html
http://www.securitytracker.com/id?1021783
http://secunia.com/advisories/34138
http://secunia.com/advisories/34202
http://secunia.com/advisories/34237
http://secunia.com/advisories/34251
http://secunia.com/advisories/34255
http://secunia.com/advisories/34259
http://secunia.com/advisories/34399
http://secunia.com/advisories/35766
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.476602
SuSE Security Announcement: SUSE-SR:2009:006 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.html
http://www.ubuntu.com/usn/USN-726-1
http://www.vupen.com/english/advisories/2009/0581
http://www.vupen.com/english/advisories/2009/1865
XForce ISS Database: curl-location-security-bypass(49030)
https://exchange.xforce.ibmcloud.com/vulnerabilities/49030
CopyrightCopyright (c) 2009 E-Soft Inc. http://www.securityspace.com

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2021 E-Soft Inc. All rights reserved.