curl versions between 7.10.6 and 7.21.6 inclusive delegates client's kerberos ticket granting ticket to server silently which allows server to impersonate as client to any other GSS-authenticated service.
This vulnerability is public since 2011-06-23, and has been assigned CVE-2011-2192 identifier.
Upstream has released new version 7.21.7 fixing this flaw and provided separate patch <http://curl.haxx.se/curl-gssapi-delegation.patch> for easy securing older curl versions.
Users with non-forwardable tickets (/etc/krb5.conf, section libdefaults, option forwardable=no) are not vulnerable.
Thank you for bug, Petr.
The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6
through 7.21.6, as used in curl and other products, always performs
credential delegation during GSSAPI authentication, which allows remote
servers to impersonate clients via GSSAPI requests.
fixed in .7 which I added to the tree today
please make sure to stabilize -r0, -r1 contains some cross compilation changes that need more intensive testing first.
also see the blocking bug, c-ares-1.6 is required for curl-7.21
I took the liberty of stabilizing ahead of schedule, since I've been testing rdeps of bug 369501.
ppc/ppc64 done with =net-misc/curl-7.21.7
this is getting slightly worse, 7.21.7 removed an empty header. so a couple of apps needs to be fixed by simply removing the header (bug 376007)
Christoph, can we continue with stabilization of net-misc/curl-7.21.7? Thanks
Fixed with =net-misc/curl-7.24.0
Adding to existing GLSA request.
This issue was resolved and addressed in
GLSA 201203-02 at http://security.gentoo.org/glsa/glsa-201203-02.xml
by GLSA coordinator Sean Amoss (ackle).