Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: July 28th, 2014
Linux Advisory Watch: July 25th, 2014
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Ubuntu: curl vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu It was discovered that curl did not enforce any restrictions when following URL redirects. If a user or automated system were tricked into opening a URL to an untrusted server, an attacker could use redirects to gain access to abitrary files. This update changes curl behavior to prevent following "file" URLs after a redirect.
Ubuntu Security Notice USN-726-1             March 03, 2009
curl vulnerability

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  libcurl3                        7.15.1-1ubuntu3.1
  libcurl3-gnutls                 7.15.1-1ubuntu3.1

Ubuntu 7.10:
  libcurl3                        7.16.4-2ubuntu1.1
  libcurl3-gnutls                 7.16.4-2ubuntu1.1

Ubuntu 8.04 LTS:
  libcurl3                        7.18.0-1ubuntu2.1
  libcurl3-gnutls                 7.18.0-1ubuntu2.1

Ubuntu 8.10:
  libcurl3                        7.18.2-1ubuntu4.1
  libcurl3-gnutls                 7.18.2-1ubuntu4.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

It was discovered that curl did not enforce any restrictions when following
URL redirects. If a user or automated system were tricked into opening a URL to
an untrusted server, an attacker could use redirects to gain access to abitrary
files. This update changes curl behavior to prevent following "file" URLs after
a redirect.

Updated packages for Ubuntu 6.06 LTS:

  Source archives:
      Size/MD5:   187821 98a6bc2adb5c5673bdf39e10459be0e8
      Size/MD5:      946 54356fc9d1f2f629db92aec10f15ad52
      Size/MD5:  1769992 63be206109486d4653c73823aa2b34fa

  Architecture independent packages:
      Size/MD5:    31260 e1a1c7938bbc15a8f1183fe1d6d0af0a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5:   169568 1315f552c57d7db1315f81b41589792c
      Size/MD5:   540736 bb54db6af7f71e8098b99f57c55a8c03
      Size/MD5:   717326 74244221991d13b3e27d7600b25cc667
      Size/MD5:   167960 0d960ee5cb9c386af7730dd6985e519e
      Size/MD5:   724246 a35139c3af268cb40a64b2d4562c239e
      Size/MD5:   172910 33529da99980d7c599c1ddbf49a7a298

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5:   168448 3ff82ec8fbffb489c198ef86ad45155b
      Size/MD5:   506770 10c355570dcb3812efa661f3359792fa
      Size/MD5:   700624 d9ed3ac37839ed446dd2d19f4c0ccac1
      Size/MD5:   160502 7325d0cd0802f12340de1e5ff8fc94ad
      Size/MD5:   705276 442b603f3bef1bb6b76cb475108d0869
      Size/MD5:   165456 52191a45a9ccfb55dfa95a5d6059c4c4

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5:   172084 3b8d50cd83bce1fbf4db132ac6b5fcf2
      Size/MD5:   542256 f038486866f70fd91641a338684c9fd7
      Size/MD5:   723702 ab81371909385b48de743ff8c6bdef1e
      Size/MD5:   170316 b131cc76e2315a6969e5d842ee00ac7d
      Size/MD5:   729156 ecb7523175cc86845a65a45e584c52f4
      Size/MD5:   174808 75929f5b8f8665d595d71b1477428fe8

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5:   169262 d1227121940771c773000adf86cb2b25
      Size/MD5:   510838 cedeacff8c06c39c973cb49e14098a72
      Size/MD5:   710240 a69b147b9aa4e84755128b20cf8d6cc0
      Size/MD5:   163088 2dc3c7c08147eb59e3b10df00a84380d
      Size/MD5:   714840 ef9596a90e8f5d3872dbb533c2e3a785
      Size/MD5:   167244 0eb1ef9b9f24c1ce216bfac5ac61a770

Updated packages for Ubuntu 7.10:

  Source archives:
      Size/MD5:    23038 ec29fe4a6ce15381ee4d18977a01cf54
      Size/MD5:     1070 ee6f69c49d16d34809984d41ba9a95d9
      Size/MD5:  2127522 b8f272cfe98fd5570447469e2faea844

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5:   175802 1031a8edbe06cac94c392dedc7453fe5
      Size/MD5:  1030904 97008fb6866a84bfc1bfc6aadc387c37
      Size/MD5:   180212 8879fd596ec6d374ecc3db7c590a4dee
      Size/MD5:   186854 216542e4ee0aa37b12dfceb9f782431f
      Size/MD5:   828040 3bef020322ca21c8673b55bcde5a7555
      Size/MD5:   835418 03a845d4637949826e4b606675643351

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5:   174936 a69d59cba07ca9611470fa45c441d41f
      Size/MD5:   998270 4adafc7307dec5a9194e53d27046862a
      Size/MD5:   176140 63ce96a012b6b57e14ada06f633293f8
      Size/MD5:   182128 cc373dd8b1383abc9647b2755dcc82c2
      Size/MD5:   802764 b4f2f06c793123ffc85ecd754d27a799
      Size/MD5:   808706 4cdc8ddd315dbd125b6dd6fd9254f584

  lpia architecture (Low Power Intel Architecture):
      Size/MD5:   174826 826bd0dc3bab6c9df46b737c99a4cc12
      Size/MD5:  1016026 54999bbac5f7b80c03a450d0fa782e2c
      Size/MD5:   174294 4b881eab13f96f101f233b8d8066a1eb
      Size/MD5:   180832 7e9738237d5a15b0117463d9c9067925
      Size/MD5:   800482 8f79859acd3d9c5656c8776bd595aa17
      Size/MD5:   806612 d310180304c4688ad36b734a929514aa

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5:   179486 e0fb5643133b30cc3e258820cf17d67d
      Size/MD5:  1045612 845b188923e649bc8a165b8356e7f406
      Size/MD5:   187794 cd8cd13657a67c0367bae7c821075cbb
      Size/MD5:   193612 d4178d220ba2d1e12005387e9226a27b
      Size/MD5:   826054 ce04418fbb88124acc4705e9372ecd30
      Size/MD5:   831906 3a8efee4daf4b2ca73165bd2ec1e2883

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5:   175644 6b184238aa16330227fa2ef555b6e558
      Size/MD5:   990958 66b0b3669cba60f631ed6a0a24617188
      Size/MD5:   174762 e8750cc8896cfcffce4815777ac3caee
      Size/MD5:   179512 c0e79f63b732fbbc405652f107878b84
      Size/MD5:   808072 684fb0a815911676557b5debd393a1fe
      Size/MD5:   814506 1aa48c17a5be7a7373b045abfc18da3d

Updated packages for Ubuntu 8.04 LTS:

  Source archives:
      Size/MD5:    23694 d86f917e0253ba822db6d2424798463c
      Size/MD5:     1101 1a3e33be24181c7ffc8f7b60816e249d
      Size/MD5:  2285430 76ff5a7fa2e00b25ded5302885d4c3e2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5:   197866 101c380ab9d9ab90cd8eb29feb9b1afc
      Size/MD5:  1054384 bc98cdd6d1571106757d2411ad6ffd3c
      Size/MD5:   202642 f663841bc8e03556b2d41ef1d7260930
      Size/MD5:   209456 e8acd7503ad26b01aae5375b90178a48
      Size/MD5:   896296 fd68ba64689210d59e867787ba4abb20
      Size/MD5:   904552 7644776a5d3a3b1922a3507a37ec05dc

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5:   197074 00eb30ecbc6793f1d10bed5c8bbf5bf5
      Size/MD5:  1039734 541d32169bfe1529dd2d4745a1226eb1
      Size/MD5:   198480 b4ca187d0408dc35836646c5f966bf90
      Size/MD5:   205782 c61cf64efc7baa7cb37a03bed19cfa6a
      Size/MD5:   870314 7e275b66161a6cf9c32fbdc4750805eb
      Size/MD5:   877390 b8889ec5febb2da66b0dae49295e6844

  lpia architecture (Low Power Intel Architecture):
      Size/MD5:   196994 f85f088f37ed84c756fd75a5ba9c1829
      Size/MD5:  1046972 f93a0314315ca010c1e000d6094b529e
      Size/MD5:   197474 bedb0ae75d50745d9070d598a7f3bbed
      Size/MD5:   204090 7db96e2a1af5229b5c05fe332c30f756
      Size/MD5:   869990 16be192ab09c1ca78a48d50b599b6868
      Size/MD5:   876092 896c0bbc2eee392cbac4a18b5996931b

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5:   201932 c3f6e455e85ddc6e69daf3431ea58e74
      Size/MD5:  1063946 a5d52c748048bf586cedb02daf29fb7a
      Size/MD5:   210994 5602b8c0c9979c0eba7eff319d5bc77e
      Size/MD5:   216006 8d65ea79097e0e635f75382d7aaecf6b
      Size/MD5:   895512 ef52c8d4b5a097751646d1174bca4c35
      Size/MD5:   902650 dd88be6fee4e0382db0af0cc490877b0

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5:   197586 db78b2c9b6402e0f9ed9cb9bf7cd4872
      Size/MD5:  1027024 0ead1406330f62ff04c0177d185a53a9
      Size/MD5:   196652 3e829cf092deb68935946eccb4471663
      Size/MD5:   202218 ba4d43feba5bc66630d46766f1ae5dd3
      Size/MD5:   877208 20b30bf93d62e6c2c165ee6be374435f
      Size/MD5:   883238 66b2bc1ab0da39b981e35aaf694e6b67

Updated packages for Ubuntu 8.10:

  Source archives:
      Size/MD5:    22211 6e74e8584ae7aebb6c14d3a114796454
      Size/MD5:     1491 9b355d2d245a85cbca121726652e7f8d
      Size/MD5:  2273077 4fe99398a64a34613c9db7bd61bf6e3c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5:   210246 d67a5eb49a6f5e427bd1654007f455a7
      Size/MD5:  1124684 57f1830f3a2e4ffdec0180717f3191a0
      Size/MD5:   216106 e36ff6ee975146c248c293ce0f8cfc6b
      Size/MD5:   223206 56e2f570c4c989bca172cfc09a370d39
      Size/MD5:   926082 5cc5411540ce23be3354b1f4d5fc041f
      Size/MD5:   933036 adcb522fbbb4f3ab68b4fa8af804d5b7

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5:   209080 80b442fba7924160f234f6d2fc5be8ea
      Size/MD5:  1091876 d294a4ad45febe82279359741d6958c4
      Size/MD5:   212550 7c5a86d097564f4563cd4992c65544a9
      Size/MD5:   219490 83026954c17912ed54036e2f81118310
      Size/MD5:   899576 bb001dda2e0e9def2d08f99497adfbcd
      Size/MD5:   905326 74ff52579922240c1a034c0f223b1a1a

  lpia architecture (Low Power Intel Architecture):
      Size/MD5:   208732 cdc604e918825dd8ca06fb07b69d90ba
      Size/MD5:  1099032 5e1a71fa663f6f21944bf7078c57aebe
      Size/MD5:   210790 2486bf054d91bf5e5cd32fae20d2002a
      Size/MD5:   217316 32814e9da3f6ea13b6b2a77e872f92fc
      Size/MD5:   898464 3028bc84dcbc05a2a65d50f49f0ed2f0
      Size/MD5:   903772 00495fb44aba7d390ddb7643de104fca

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5:   212494 c0ad35c9fbaa7afeb9247b948bf3720e
      Size/MD5:  1130288 8a65d0227f3697b505e4634cff6831fd
      Size/MD5:   223618 b5d5085350540d988abc19c5dcb04ea6
      Size/MD5:   229464 8053abc5beb65a37ea489eeec41ab2c2
      Size/MD5:   925362 8277d9fb3b898cf90e4fa46ffcf71147
      Size/MD5:   931700 13f3edf118024e221d7f45abd05c0e7e

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5:   209542 6478e46bb2850c50f7b4def0d86b730b
      Size/MD5:  1072458 5eaf45a5c000a1f8b0d09bbab983b8ae
      Size/MD5:   209228 83c8fcd128286fd77d9983fff53d9563
      Size/MD5:   213982 bf031afa898326f814e2dea63fdc0523
      Size/MD5:   904780 f3ac8d6aab6a12a4b8462152e38463a9
      Size/MD5:   909856 c991e46b6bb3a47c79e7615f398de261

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

Version: GnuPG v1.4.9 (GNU/Linux)



--==============12105205218476806=Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

ubuntu-security-announce mailing list
Modify settings or unsubscribe at:

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Weekend Edition
Four fake Google haxbots hit YOUR WEBSITE every day
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
The Barnaby Jack Few Knew: Celebrated Hacker Saw Spotlight as 'Necessary Evil'
What I Learned from Edward Snowden at the Hacker Conference
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.