RHBA-2011:0573 - Bug Fix Advisory

Topic

Updated curl packages that fix bugs in HTTPS, FTP, LDAP and proxy kerberos
authentication are now available.

Description

cURL is a tool for getting files from HTTP, FTP, FILE, LDAP, LDAPS,
DICT, TELNET and TFTP servers, using any of the supported protocols.
cURL is designed to work without user interaction or any kind of
interactivity. cURL offers many useful capabilities, like proxy support,
user authentication, FTP upload, HTTP post, and file transfer resume.

This update fixes the following bugs:

• libcurl introduced a segfault where a RHEL 6.1 machine registered at

RHN would result in a segmentation fault (core dumped) after running
"yum clean all" and "yum update" respectively. "CERT_GetDefaultCertDB"
is now used to prevent a segmentation fault after the "yum clean all"
and "yum update" sequence. (BZ#690273)

• libcurl HTTPS connections failed with a CURLE_OUT_OF_MEMORY error when

given a certificate file name without a "/". This is now fixed to treat
such a string as certificate nickname and if a file with the same name
exists and libcurl runs in verbose mode, a warning is issued. The updated
documentation now suggests to use the "./" prefix to load a file from the
current directory. (BZ#623663)

• A rebuild operation for curl failed if the libnih-devel package was

installed. This is now fixed to allow a rebuild whether libnih-devel is
installed, not installed or has a broken installation. (BZ#669048)

• libcurl ignored the CA path provided in CURLOPT_CAPATH and consequently

curl ignored the "--capath" argument provided. This is fixed so that
libcurl now uses the value provided with the the "--capath" argument.
(BZ#669702)

• libcurl leaked memory and eventually resulted in a failed NSS shutdown

when more than one CA certificate was loaded. This is now fixed so that
libcurl works as expected when more than one CA certificates is loaded.
(BZ#670802)

• libcurl leaked memory when an SSL connection failed. This is now fixed

to prevent the memory leak during an SSL connection failure. (BZ#678594)

• libcurl FTP protocol implementation was unable to handle server session

timeouts correctly. This is now fixed so that libcurl drops the connection
when a 421 timeout response is received. (BZ#651592)

• libcurl failed when an LDAP request was sent using curl through a HTTP

proxy in tunnel mode (curl option "-p" or "--proxytunnel"). Curl tried to
connect directly to the LDAP server via the proxy port and consequently
failed. This is now fixed to allow libcurl LDAP connections through HTTP
proxies to work as expected. (BZ#655134)

• libcurl was unable to authenticate http proxies via Kerberos. This is

now fixed and libcurl can successfully authenticate http proxies via
Kerberos. (BZ#625685)

• When libcurl connected a second time to an SSL server with the same

server certificate, the server's certificate was not re-authenticated
because libcurl confirmed authenticity before the first connection to
the server. This is fixed by disabling the SSL cache when it is not
verifying a certificate to force the verification of the certificate
on the second use. (BZ#678580)

• Kerberos authentication was broken for reused curl handles, which

prevented "git clone"' from working with Kerberos authenticated web
servers. This is now fixed to allow "git clone" operations to
successfully authenticate and carry out operations. (BZ#684892)

• It was not possible to use two distinct client certificates to connect

two times in a row to the same SSL server. This is now fixed to allow two
different client certifications to connect to the same SSL server.
(BZ#694294)

Users of curl should upgrade to these updated packages, which contain
back-ported patches to correct these issues. All running applications
using libcurl must be restarted for the update to take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x

Fixes

• BZ - 623663 - curl returns CURLE_OUT_OF_MEMORY when client certificate is given
• BZ - 625685 - Unable to use proxy with kerberos authentication for https
• BZ - 651592 - Curl does not handle FTP server timeout gracefully
• BZ - 655134 - proxy tunnel support for LDAP requests is broken
• BZ - 669048 - Cannot rebuild curl if libnih-devel installed
• BZ - 669702 - Curl does not honour -capath
• BZ - 670802 - curl --capath memory leakage
• BZ - 678580 - suboptimal handling of CURLOPT_SSL_VERIFYPEER
• BZ - 678594 - memory leak on SSL connection failure
• BZ - 684892 - GSS authentication is broken in libcurl, preventing 'git clone' from working
• BZ - 694294 - curl AND nss need to be able to use pem files interchangeably in a single process

CVEs

(none)

References

(none)