-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:180 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : curl Date : June 27, 2013 Affected: Business Server 1.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been discovered and corrected in curl: libcurl is vulnerable to a case of bad checking of the input data which may lead to heap corruption. The function curl_easy_unescape() decodes URL encoded strings to raw binary data. URL encoded octets are represented with \%HH combinations where HH is a two-digit hexadecimal number. The decoded string is written to an allocated memory area that the function returns to the caller (CVE-2013-2174). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2174 http://curl.haxx.se/docs/adv_20130622.html _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: b67f07d5bfef732e46c73127186a4bc3 mes5/i586/curl-7.19.0-2.7mdvmes5.2.i586.rpm 6a067acb5315f6bd23307fda4da508ad mes5/i586/curl-examples-7.19.0-2.7mdvmes5.2.i586.rpm a7c6c2f0a0cd1060b8a7a1ebc58fabaa mes5/i586/libcurl4-7.19.0-2.7mdvmes5.2.i586.rpm 69558e117e489d890a0c316ee65f5af5 mes5/i586/libcurl-devel-7.19.0-2.7mdvmes5.2.i586.rpm f9d1dffcfdfba6f5bf562367c855cdbd mes5/SRPMS/curl-7.19.0-2.7mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 84136245be8d68485b44098b13978e2b mes5/x86_64/curl-7.19.0-2.7mdvmes5.2.x86_64.rpm 0ad99a19f59cc109d3d54690360e3e14 mes5/x86_64/curl-examples-7.19.0-2.7mdvmes5.2.x86_64.rpm 10b8613b86eee782dc3cf3b2c636054a mes5/x86_64/lib64curl4-7.19.0-2.7mdvmes5.2.x86_64.rpm 5ce1e7e7564ed6f4d54cb9aba9a0c25c mes5/x86_64/lib64curl-devel-7.19.0-2.7mdvmes5.2.x86_64.rpm f9d1dffcfdfba6f5bf562367c855cdbd mes5/SRPMS/curl-7.19.0-2.7mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: a058a7d1693791161fb8df94484242a3 mbs1/x86_64/curl-7.24.0-2.2.mbs1.x86_64.rpm e5a95ff0b6e939678e03899d93b3bf4c mbs1/x86_64/curl-examples-7.24.0-2.2.mbs1.x86_64.rpm 44eef308df01e82fb67ef420cef9a52d mbs1/x86_64/lib64curl4-7.24.0-2.2.mbs1.x86_64.rpm 6f1e301a381d5ffc7cf8380918ab34ee mbs1/x86_64/lib64curl-devel-7.24.0-2.2.mbs1.x86_64.rpm d51e83363cf2bf8586137e2ec60c4f96 mbs1/SRPMS/curl-7.24.0-2.2.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRy/9rmqjQ0CJFipgRAoECAJ91OymO0S93QW+5QBG4UkmauzlJjwCgqBTJ 68iHiQwidCQQHiHxidA3BTs= =oJLi -----END PGP SIGNATURE-----
