RHBA-2012:0241 - Bug Fix Advisory

Topic

An updated curl package that fixes multiple bugs and adds two enhancements is
now available for Red Hat Enterprise Linux 5.

Description

The curl package provides the libcurl library and the cURL command line tool for
transferring data using various protocols, including FTP, HTTP, Gopher, Telnet,
and DICT. Both, libcurl and cURL, support many useful capabilities, such as user
authentication, proxy support, FTP uploading, HTTP POST and PUT methods, SSL
certificates, and file transfer resume.

This update fixes the following bugs:

• In the FTP implementation, libcurl incorrectly called the accept() function

from a system library, which caused a stack overflow under certain
circumstances. This update applies a backported upstream patch that corrects
this bug, and the stack overflow no longer occurs. (BZ#652557)

• Previously, an attempt to send an LDAP request through an HTTP proxy tunnel

ended up with cURL trying to connect to the LDAP server directly using a wrong
port number. With this update, the underlying source code has been modified to
fix this problem, and cURL now works as expected. (BZ#655073)

• Previously, the "multi" interface of libcurl was broken, which caused the "git

push" command to work incorrectly over the Web Distributed Authoring and
Versioning (WebDAV) protocol. This update applies an upstream patch, which
corrects counting of active connections in the "multi" interface. The "git push"
command now works as expected over WebDAV. (BZ#688871)

• As a solution to a security issue, GSSAPI credential delegation was disabled,

which broke the functionality of the applications that were relying on
delegation, which was incorrectly enabled by libcurl. To fix this problem, the
CURLOPT_GSSAPI_DELEGATION libcurl option has been introduced in order to enable
delegation explicitly when applications need it. All applications using GSSAPI
credential delegation can now use this new libcurl option to be able to run
properly. (BZ#723643)

In addition, this update adds the following enhancements:

• Previously, curl did not support proxy authentication using Kerberos. With

this update, underlying code has been modified and curl now allows Kerberos
proxy authentication by using the "--proxy-negotiate" option. (BZ#657396)

• The cURL utility did not allow Kerberos credential delegation although the

libcurl library provided appropriate support for this functionality. This update
introduces a new option, "--delegation", which enables Kerberos credential
delegation in cURL. (BZ#746849)

All users of curl are advised to upgrade to this updated package, which fixes
these bugs and adds these enhancements. All running applications that use
libcurl have to be restarted for this update to take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 652557 - Tests 253 and 255 FAIL: stack smashing detected
• BZ - 655073 - proxy tunnel support for LDAP requests is broken
• BZ - 657396 - [RFE] backport of --proxy-negotiate code to allow use of kerberos auth proxy
• BZ - 688871 - update running_handles counter properly in curl_multi_remove_handle()
• BZ - 746849 - curl does not support --delegation even though it was added to libcurl

CVEs

(none)

References

(none)