Bug 132299

Summary: vuxml submission for ftp/curl
Product: Ports & Packages Reporter: mark
Component: Individual Port(s)Assignee: Peter Pentchev <roam>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description mark 2009-03-04 04:10:01 UTC 

Fix: 

<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
   <vuln vid="5d433534-f41c-402e-ade5-e0a2259a7cb6">
     <topic>curl -- cURL/libcURL Location: Redirect URLs Security Bypass</topic>
     <affects>
       <package>
         <name>curl</name>
         <range><lt>7.19.4</lt><ge>5.11</ge></range>
       </package>
     </affects>
     <description>
       <body xmlns="http://www.w3.org/1999/xhtml">
         <p>Secunia reports:</p>
         <blockquote cite="http://secunia.com/advisories/34138/">
           <p>The security issue is caused due to cURL following HTTP Location:
redirects to e.g. scp:// or file:// URLs which can be exploited
by a malicious HTTP server to overwrite or disclose the content of
arbitrary local files and potentially execute arbitrary commands via
specially crafted redirect URLs.</p>
         </blockquote>
       </body>
     </description>
     <references>
      <cvename>CVE-2009-0037</cvename>
      <url>http://secunia.com/advisories/34138/</url>
     </references>
     <dates>
       <discovery>2009-03-03</discovery>
       <entry>2009-03-03</entry>
     </dates>
   </vuln>
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2009-03-04 04:10:13 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->roam

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 dfilter service freebsd_committer freebsd_triage 2009-03-04 15:30:37 UTC 
roam        2009-03-04 15:30:27 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  Document the cURL redirection security bypass - CVE-2009-0037.
  I'll update the ftp/curl port itself ASAP.
  
  PR:             132299
  Reported by:    Mark Foster <mark@foster.cc> (the PR),
                  Daniel Bond <db@danielbond.org> (e-mail)
  
  Revision  Changes    Path
  1.1873    +31 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Mark Linimon freebsd_committer freebsd_triage 2009-03-18 06:20:50 UTC 
State Changed
From-To: open->closed

committed 2009-03-04.