LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Relicensing and rebasing LibreOffice

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Conectiva alert CLA-2005:940 (curl)



From:
    	      Conectiva Updates <secure@conectiva.com.br>


To:
    	      conectiva-updates@papaleguas.conectiva.com.br, lwn@lwn.net,
 bugtraq@securityfocus.com, security-alerts@linuxsecurity.com,
 linsec@lists.seifried.org


Subject:
    	      [CLA-2005:940] Conectiva Security Announcement - curl


Date:
    	      Mon, 21 Mar 2005 10:33:05 -0300


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
- --------------------------------------------------------------------------

PACKAGE   : curl
SUMMARY   : Fix for cURL vulnerability
DATE      : 2005-03-21 10:32:00
ID        : CLA-2005:940
RELEVANT
RELEASES  : 10

- -------------------------------------------------------------------------

DESCRIPTION
 cURL[1] is a client to get/put files from/to servers, using any of
 the supported protocols.
 
 This announcement fixes a remote buffer overflow vulnerability[2] in
 cURL that could allow a malicious servers to execute arbitrary code
 via base64 encoded replies that exceed the intended buffer lengths
 when decoded, which is not properly handled by the Curl_input_ntlm
 function in http_ntlm.c during NTLM authentication or the
 Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos
 authentication.


SOLUTION
 It is recommended that all cURL users upgrade their packages.
 
 IMPORTANT: In order to properly close the vulnerability, all
 applications liked against libcurl should also be restart.
 
 
 REFERENCES
 1.http://curl.haxx.se/
 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0490


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/10/SRPMS.curl/curl-7....
ftp://atualizacoes.conectiva.com.br/10/RPMS.curl/curl-7.1...
ftp://atualizacoes.conectiva.com.br/10/RPMS.curl/libcurl-...
ftp://atualizacoes.conectiva.com.br/10/RPMS.curl/libcurl-...
ftp://atualizacoes.conectiva.com.br/10/RPMS.curl/libcurl2...


ADDITIONAL INSTRUCTIONS
 The apt tool can be used to perform RPM packages upgrades:

 - run:                 apt-get update
 - after that, execute: apt-get upgrade

 Detailed instructions regarding the use of apt and upgrade examples 
 can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at 
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFCPs0Q42jd0JmAcZARAix3AJ4oxGCmj+0FjIKRFbHvLkbsDFWR6QCffTy3
rqypCYsGgsLrYjXN/aIgjQk=
=zdja
-----END PGP SIGNATURE-----
(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds