Red Hat Product Errata RHSA-2009:0341 - Security Advisory
Issued:
2009-03-19
Updated:
2009-03-19

RHSA-2009:0341 - Security Advisory

Synopsis

Moderate: curl security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated curl packages that fix a security issue are now available for Red
Hat Enterprise Linux 2.1, 3, 4, and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

cURL is a tool for getting files from FTP, HTTP, Gopher, Telnet, and Dict
servers, using any of the supported protocols. cURL is designed to work
without user interaction or any kind of interactivity.

David Kierznowski discovered a flaw in libcurl where it would not
differentiate between different target URLs when handling automatic
redirects. This caused libcurl to follow any new URL that it understood,
including the "file://" URL type. This could allow a remote server to force
a local libcurl-using application to read a local file instead of the
remote one, possibly exposing local files that were not meant to be
exposed. (CVE-2009-0037)

Note: Applications using libcurl that are expected to follow redirects to
"file://" protocol must now explicitly call curl_easy_setopt(3) and set the
newly introduced CURLOPT_REDIR_PROTOCOLS option as required.

cURL users should upgrade to these updated packages, which contain
backported patches to correct these issues. All running applications using
libcurl must be restarted for the update to take effect.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux Server 3 x86_64
  • Red Hat Enterprise Linux Server 3 ia64
  • Red Hat Enterprise Linux Server 3 i386
  • Red Hat Enterprise Linux Server 2 ia64
  • Red Hat Enterprise Linux Server 2 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.3 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.3 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.3 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.7 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.7 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.7 i386
  • Red Hat Enterprise Linux Server - AUS 5.3 x86_64
  • Red Hat Enterprise Linux Server - AUS 5.3 ia64
  • Red Hat Enterprise Linux Server - AUS 5.3 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Workstation 3 x86_64
  • Red Hat Enterprise Linux Workstation 3 ia64
  • Red Hat Enterprise Linux Workstation 3 i386
  • Red Hat Enterprise Linux Workstation 2 ia64
  • Red Hat Enterprise Linux Workstation 2 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux Desktop 3 x86_64
  • Red Hat Enterprise Linux Desktop 3 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for IBM z Systems 3 s390x
  • Red Hat Enterprise Linux for IBM z Systems 3 s390
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.3 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.7 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.7 s390
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux for Power, big endian 4 ppc
  • Red Hat Enterprise Linux for Power, big endian 3 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.3 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.7 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 485271 - CVE-2009-0037 curl: local file access via unsafe redirects

Red Hat Enterprise Linux Server 5

SRPM
x86_64
curl-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 5d13d2286fef596b603c410d44b9a0603a2fb00de6ae7e2484cdaf9a947af108
curl-7.15.5-2.1.el5_3.4.x86_64.rpm SHA-256: 5f7289fd54438dd0fba4f1bffcda686fd40011448846e9ceed7e50f9d29f34d6
curl-devel-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 1942f1fb032495bc25dd9cbbdc3521c530ed2b82490f706705cf014837c1326b
curl-devel-7.15.5-2.1.el5_3.4.x86_64.rpm SHA-256: abe094fd4c4573339f667cbb405079a102e9891a3f3805e9a6aa3443629cf818
ia64
curl-7.15.5-2.1.el5_3.4.ia64.rpm SHA-256: b28aa1731967098cfaf3efb98f27285dbc5dec21b30b1df5f5eadb36debf9caf
curl-devel-7.15.5-2.1.el5_3.4.ia64.rpm SHA-256: 10f168982491923de66d0dc8b1907e2e2d75cc9cd44b113dcd62260060af91d4
i386
curl-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 5d13d2286fef596b603c410d44b9a0603a2fb00de6ae7e2484cdaf9a947af108
curl-devel-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 1942f1fb032495bc25dd9cbbdc3521c530ed2b82490f706705cf014837c1326b

Red Hat Enterprise Linux Server 4

SRPM
x86_64
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-7.12.1-11.1.el4_7.1.x86_64.rpm SHA-256: c34b864699a7ffd3e850ca2209e74de4e933fa68d2e6ba9108df395048047da8
curl-7.12.1-11.1.el4_7.1.x86_64.rpm SHA-256: c34b864699a7ffd3e850ca2209e74de4e933fa68d2e6ba9108df395048047da8
curl-devel-7.12.1-11.1.el4_7.1.x86_64.rpm SHA-256: b92a171b0f9a8342c464374557f46adc91826ab040a562df8fa30cbaa41b91e4
curl-devel-7.12.1-11.1.el4_7.1.x86_64.rpm SHA-256: b92a171b0f9a8342c464374557f46adc91826ab040a562df8fa30cbaa41b91e4
ia64
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-7.12.1-11.1.el4_7.1.ia64.rpm SHA-256: e98f4de762f3de08db5338ff07ffe22a0003c4ae2a1cbb20777e192c272d61cd
curl-7.12.1-11.1.el4_7.1.ia64.rpm SHA-256: e98f4de762f3de08db5338ff07ffe22a0003c4ae2a1cbb20777e192c272d61cd
curl-devel-7.12.1-11.1.el4_7.1.ia64.rpm SHA-256: 1ae1849a7055e91be4342c0456a5bb0316e539154f0bcbfcea1985eb7b31d632
curl-devel-7.12.1-11.1.el4_7.1.ia64.rpm SHA-256: 1ae1849a7055e91be4342c0456a5bb0316e539154f0bcbfcea1985eb7b31d632
i386
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-devel-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 59e5b9ba48b430bacefcb70b62136cc7aecb4253cd9c19ed466722908fbb075c
curl-devel-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 59e5b9ba48b430bacefcb70b62136cc7aecb4253cd9c19ed466722908fbb075c

Red Hat Enterprise Linux Server 3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Server 2

SRPM
ia64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 4.7

SRPM
x86_64
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-7.12.1-11.1.el4_7.1.x86_64.rpm SHA-256: c34b864699a7ffd3e850ca2209e74de4e933fa68d2e6ba9108df395048047da8
curl-7.12.1-11.1.el4_7.1.x86_64.rpm SHA-256: c34b864699a7ffd3e850ca2209e74de4e933fa68d2e6ba9108df395048047da8
curl-devel-7.12.1-11.1.el4_7.1.x86_64.rpm SHA-256: b92a171b0f9a8342c464374557f46adc91826ab040a562df8fa30cbaa41b91e4
curl-devel-7.12.1-11.1.el4_7.1.x86_64.rpm SHA-256: b92a171b0f9a8342c464374557f46adc91826ab040a562df8fa30cbaa41b91e4
ia64
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-7.12.1-11.1.el4_7.1.ia64.rpm SHA-256: e98f4de762f3de08db5338ff07ffe22a0003c4ae2a1cbb20777e192c272d61cd
curl-7.12.1-11.1.el4_7.1.ia64.rpm SHA-256: e98f4de762f3de08db5338ff07ffe22a0003c4ae2a1cbb20777e192c272d61cd
curl-devel-7.12.1-11.1.el4_7.1.ia64.rpm SHA-256: 1ae1849a7055e91be4342c0456a5bb0316e539154f0bcbfcea1985eb7b31d632
curl-devel-7.12.1-11.1.el4_7.1.ia64.rpm SHA-256: 1ae1849a7055e91be4342c0456a5bb0316e539154f0bcbfcea1985eb7b31d632
i386
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-devel-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 59e5b9ba48b430bacefcb70b62136cc7aecb4253cd9c19ed466722908fbb075c
curl-devel-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 59e5b9ba48b430bacefcb70b62136cc7aecb4253cd9c19ed466722908fbb075c

Red Hat Enterprise Linux Server - AUS 5.3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Workstation 5

SRPM
x86_64
curl-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 5d13d2286fef596b603c410d44b9a0603a2fb00de6ae7e2484cdaf9a947af108
curl-7.15.5-2.1.el5_3.4.x86_64.rpm SHA-256: 5f7289fd54438dd0fba4f1bffcda686fd40011448846e9ceed7e50f9d29f34d6
curl-devel-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 1942f1fb032495bc25dd9cbbdc3521c530ed2b82490f706705cf014837c1326b
curl-devel-7.15.5-2.1.el5_3.4.x86_64.rpm SHA-256: abe094fd4c4573339f667cbb405079a102e9891a3f3805e9a6aa3443629cf818
i386
curl-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 5d13d2286fef596b603c410d44b9a0603a2fb00de6ae7e2484cdaf9a947af108
curl-devel-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 1942f1fb032495bc25dd9cbbdc3521c530ed2b82490f706705cf014837c1326b

Red Hat Enterprise Linux Workstation 4

SRPM
x86_64
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-7.12.1-11.1.el4_7.1.x86_64.rpm SHA-256: c34b864699a7ffd3e850ca2209e74de4e933fa68d2e6ba9108df395048047da8
curl-devel-7.12.1-11.1.el4_7.1.x86_64.rpm SHA-256: b92a171b0f9a8342c464374557f46adc91826ab040a562df8fa30cbaa41b91e4
ia64
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-7.12.1-11.1.el4_7.1.ia64.rpm SHA-256: e98f4de762f3de08db5338ff07ffe22a0003c4ae2a1cbb20777e192c272d61cd
curl-devel-7.12.1-11.1.el4_7.1.ia64.rpm SHA-256: 1ae1849a7055e91be4342c0456a5bb0316e539154f0bcbfcea1985eb7b31d632
i386
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-devel-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 59e5b9ba48b430bacefcb70b62136cc7aecb4253cd9c19ed466722908fbb075c

Red Hat Enterprise Linux Workstation 3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Workstation 2

SRPM
ia64
i386

Red Hat Enterprise Linux Desktop 5

SRPM
x86_64
curl-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 5d13d2286fef596b603c410d44b9a0603a2fb00de6ae7e2484cdaf9a947af108
curl-7.15.5-2.1.el5_3.4.x86_64.rpm SHA-256: 5f7289fd54438dd0fba4f1bffcda686fd40011448846e9ceed7e50f9d29f34d6
i386
curl-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 5d13d2286fef596b603c410d44b9a0603a2fb00de6ae7e2484cdaf9a947af108

Red Hat Enterprise Linux Desktop 4

SRPM
x86_64
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-7.12.1-11.1.el4_7.1.x86_64.rpm SHA-256: c34b864699a7ffd3e850ca2209e74de4e933fa68d2e6ba9108df395048047da8
curl-devel-7.12.1-11.1.el4_7.1.x86_64.rpm SHA-256: b92a171b0f9a8342c464374557f46adc91826ab040a562df8fa30cbaa41b91e4
i386
curl-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 4f031b631a6179c3a105a605eaa1cdb3182328484052b16e0eb129a584542392
curl-devel-7.12.1-11.1.el4_7.1.i386.rpm SHA-256: 59e5b9ba48b430bacefcb70b62136cc7aecb4253cd9c19ed466722908fbb075c

Red Hat Enterprise Linux Desktop 3

SRPM
x86_64
i386

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
s390x
curl-7.15.5-2.1.el5_3.4.s390.rpm SHA-256: d32f53d893d10d406545634b9b1a8a5bc61b1b400477cd54046da7162bbdca69
curl-7.15.5-2.1.el5_3.4.s390x.rpm SHA-256: 8fd384f44cb669cae56ac57a4650fd088e4992e3d0166fef065cddaa21af7c9d
curl-devel-7.15.5-2.1.el5_3.4.s390.rpm SHA-256: 1c31e1c39588aa2945ae930b8226d5120e0377f5811c09f583b14503cfdb52e5
curl-devel-7.15.5-2.1.el5_3.4.s390x.rpm SHA-256: 7ac3d7e339c074cff39e42352b6826e79db03dddb6420b1e7d1e54855933e0a3

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
s390x
curl-7.12.1-11.1.el4_7.1.s390.rpm SHA-256: c26fee856330120bdb1370934ec93652fb7a4ba8ed769ad1b37114a46580c8a9
curl-7.12.1-11.1.el4_7.1.s390x.rpm SHA-256: 8d427b63e66e12a4e75935df4829669298f93c9ac59f66950df65147b61a7011
curl-devel-7.12.1-11.1.el4_7.1.s390x.rpm SHA-256: 3facc97974a1ab662202b0973619624a514792182bf755adcc5c5e5146c61700
s390
curl-7.12.1-11.1.el4_7.1.s390.rpm SHA-256: c26fee856330120bdb1370934ec93652fb7a4ba8ed769ad1b37114a46580c8a9
curl-devel-7.12.1-11.1.el4_7.1.s390.rpm SHA-256: 9e19f18315e15047aa1bf468b0be1ae813acbddea0f6828a1055de3dd2a7579f

Red Hat Enterprise Linux for IBM z Systems 3

SRPM
s390x
s390

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.3

SRPM
s390x

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.7

SRPM
s390x
curl-7.12.1-11.1.el4_7.1.s390.rpm SHA-256: c26fee856330120bdb1370934ec93652fb7a4ba8ed769ad1b37114a46580c8a9
curl-7.12.1-11.1.el4_7.1.s390x.rpm SHA-256: 8d427b63e66e12a4e75935df4829669298f93c9ac59f66950df65147b61a7011
curl-devel-7.12.1-11.1.el4_7.1.s390x.rpm SHA-256: 3facc97974a1ab662202b0973619624a514792182bf755adcc5c5e5146c61700
s390
curl-7.12.1-11.1.el4_7.1.s390.rpm SHA-256: c26fee856330120bdb1370934ec93652fb7a4ba8ed769ad1b37114a46580c8a9
curl-devel-7.12.1-11.1.el4_7.1.s390.rpm SHA-256: 9e19f18315e15047aa1bf468b0be1ae813acbddea0f6828a1055de3dd2a7579f

Red Hat Enterprise Linux for Power, big endian 5

SRPM
ppc
curl-7.15.5-2.1.el5_3.4.ppc.rpm SHA-256: 78610dafbb4b99190b944111f7a13758cad3e77318bbfe4fe527f553efcf20f3
curl-7.15.5-2.1.el5_3.4.ppc64.rpm SHA-256: b023cab106cc944bc6ea00cfdf41dfd17776e01ea15e64f4766e7b42864f5b8b
curl-devel-7.15.5-2.1.el5_3.4.ppc.rpm SHA-256: 0b64dd13c9c5d857dce139d94adf78d18be5faa889fc5c8b085f578aa3937645
curl-devel-7.15.5-2.1.el5_3.4.ppc64.rpm SHA-256: 4d13187acdbd820ade3a7f02a26eed5875235f27ca386849ca62e28d4810cb2c

Red Hat Enterprise Linux for Power, big endian 4

SRPM
ppc
curl-7.12.1-11.1.el4_7.1.ppc.rpm SHA-256: 9584cbc9594c4afaa3e8009f30177bfd04739ad902bde2e7e699ba0e00b82d2d
curl-7.12.1-11.1.el4_7.1.ppc64.rpm SHA-256: f01a8d06f03da902bd40b612af69ac30334705b9237f4b5cd94bd78fcde91348
curl-devel-7.12.1-11.1.el4_7.1.ppc.rpm SHA-256: 8dbfeac7c1d017a08a66e806d24d9e430af4157b5133bccb513f0833945d162a

Red Hat Enterprise Linux for Power, big endian 3

SRPM
ppc

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.3

SRPM
ppc

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.7

SRPM
ppc
curl-7.12.1-11.1.el4_7.1.ppc.rpm SHA-256: 9584cbc9594c4afaa3e8009f30177bfd04739ad902bde2e7e699ba0e00b82d2d
curl-7.12.1-11.1.el4_7.1.ppc64.rpm SHA-256: f01a8d06f03da902bd40b612af69ac30334705b9237f4b5cd94bd78fcde91348
curl-devel-7.12.1-11.1.el4_7.1.ppc.rpm SHA-256: 8dbfeac7c1d017a08a66e806d24d9e430af4157b5133bccb513f0833945d162a

Red Hat Enterprise Linux Server from RHUI 5

SRPM
x86_64
curl-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 5d13d2286fef596b603c410d44b9a0603a2fb00de6ae7e2484cdaf9a947af108
curl-7.15.5-2.1.el5_3.4.x86_64.rpm SHA-256: 5f7289fd54438dd0fba4f1bffcda686fd40011448846e9ceed7e50f9d29f34d6
curl-devel-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 1942f1fb032495bc25dd9cbbdc3521c530ed2b82490f706705cf014837c1326b
curl-devel-7.15.5-2.1.el5_3.4.x86_64.rpm SHA-256: abe094fd4c4573339f667cbb405079a102e9891a3f3805e9a6aa3443629cf818
i386
curl-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 5d13d2286fef596b603c410d44b9a0603a2fb00de6ae7e2484cdaf9a947af108
curl-devel-7.15.5-2.1.el5_3.4.i386.rpm SHA-256: 1942f1fb032495bc25dd9cbbdc3521c530ed2b82490f706705cf014837c1326b

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.