Summary: | <net-misc/curl-7.24.0: inappropriate GSSAPI delegation (CVE-2011-2192) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Petr Pisar <petr.pisar> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | angelos |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://curl.haxx.se/docs/adv_20110623.html | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 369501, 400799 | ||
Bug Blocks: |
Description
Petr Pisar
2011-06-27 19:43:01 UTC
Thank you for bug, Petr. CVE-2011-2192 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2192): The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests. fixed in .7 which I added to the tree today please make sure to stabilize -r0, -r1 contains some cross compilation changes that need more intensive testing first. also see the blocking bug, c-ares-1.6 is required for curl-7.21 I took the liberty of stabilizing ahead of schedule, since I've been testing rdeps of bug 369501. ppc/ppc64 done with =net-misc/curl-7.21.7 this is getting slightly worse, 7.21.7 removed an empty header. so a couple of apps needs to be fixed by simply removing the header (bug 376007) Christoph, can we continue with stabilization of net-misc/curl-7.21.7? Thanks Fixed with =net-misc/curl-7.24.0 Adding to existing GLSA request. This issue was resolved and addressed in GLSA 201203-02 at http://security.gentoo.org/glsa/glsa-201203-02.xml by GLSA coordinator Sean Amoss (ackle). |