From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------- Debian Security Advisory DSA-1738-1
[email protected] http://www.debian.org/security/ Nico Golde March 11th, 2009
http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : curl
Vulnerability : arbitrary file access
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-0037
Debian Bug : 518423
BugTraq ID : 33962
David Kierznowski discovered that libcurl, a multi-protocol file transfer library, when configured to follow URL redirects automatically, does not question the new target location. As libcurl also supports file:// and
scp:// URLs - depending on the setup - an untrusted server could use that
to expose local files, overwrite local files or even execute arbitrary
code via a malicious URL redirect.
This update introduces a new option called CURLOPT_REDIR_PROTOCOLS which by default does not include the scp and file protocol handlers.
For the oldstable distribution (etch) this problem has been fixed in
version 7.15.5-1etch2.
For the stable distribution (lenny) this problem has been fixed in
version 7.18.2-8lenny2.
For the unstable distribution (sid) this problem has been fixed in
version 7.18.2-8.1.
We recommend that you upgrade your curl packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch2.dsc
Size/MD5 checksum: 956 0a164bd43dbfb582a049fe3a737a375b
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5.orig.tar.gz
Size/MD5 checksum: 1897973 61997c0d852d38c3a85b445f4fc02892
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch2.diff.gz
Size/MD5 checksum: 21635 47c30162c60f8192bce199f5fab0012d
Architecture independent packages:
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dev_7.15.5-1etch2_all.deb
Size/MD5 checksum: 22244 752d541336f513b3bfd0841e0868b472
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch2_alpha.deb
Size/MD5 checksum: 166256 709d02b9dae8f4b0c7333d6f03c31628
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch2_alpha.deb
Size/MD5 checksum: 816206 a36046c7827322a14d257bd3fb74010b
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch2_alpha.deb
Size/MD5 checksum: 818778 967acf1522d86fdf56e84e1c5b22f147
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch2_alpha.deb
Size/MD5 checksum: 809316 af0f20647d1a91d799dcbed6980428b7
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch2_alpha.deb
Size/MD5 checksum: 181392 78c3b97fba2c35b5c5d1bf1eb5f1d908
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch2_alpha.deb
Size/MD5 checksum: 174310 433c7e16f748f83db01989e8a249a101
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch2_amd64.deb
Size/MD5 checksum: 164766 6f3f68c322aa54a5000975530ded729e
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch2_amd64.deb
Size/MD5 checksum: 170058 f6fd6e8f7a3e030ca028a6750f666061
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch2_amd64.deb
Size/MD5 checksum: 772142 5d3cdfcfdaf0604aeebfc395703d6df7
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch2_amd64.deb
Size/MD5 checksum: 778626 490801518500a00caec9e45fb755c524
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch2_amd64.deb
Size/MD5 checksum: 824964 a57398dfcbd49c33060a48671bed8a02
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch2_amd64.deb
Size/MD5 checksum: 163446 7eaaea76d628e03e8ebdc580bff0b72b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls-dev_7.15.5-1etch2_arm.deb
Size/MD5 checksum: 756884 8eed02667e02867ad3d130a40ad4f330
http://security.debian.org/pool/updates/main/c/curl/libcurl3-openssl-dev_7.15.5-1etch2_arm.deb
Size/MD5 checksum: 762352 b5720175a10c9f7333a2e8a298aac91d
http://security.debian.org/pool/updates/main/c/curl/libcurl3-dbg_7.15.5-1etch2_arm.deb
Size/MD5 checksum: 783552 72af9664d85d8aa4ca0960da19554333
http://security.debian.org/pool/updates/main/c/curl/libcurl3-gnutls_7.15.5-1etch2_arm.deb
Size/MD5 checksum: 160536 c9fb486fd46228488f391d57a9d6edc8
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch2_arm.deb
Size/MD5 checksum: 165914 b1188bf4e4da054e04b77c4e8f27ca73
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch2_arm.deb
Size/MD5 checksum: 162598 a60ef14833ef5f5bad0bffbda329e326
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/c/curl/curl_7.15.5-1etch2_hppa.deb
Size/MD5 checksum: 164866 73bdea9c0a854221204e7d232a464ad7
http://security.debian.org/pool/updates/main/c/curl/libcurl3_7.15.5-1etch2_hppa.deb
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)