cURL / libcURL NTLM Authentication Buffer Overflow Vulnerability

Solution:
The vendor has released cURL version 7.13.1 to address this and other issues.

It is reported that the vendor has released a patch and updated 'http_ntlm.c' file to address this vulnerability. The patch may be found at the following location:
http://cool.haxx.se/cvs.cgi/curl/lib/http_ntlm.c.diff?r1=1.36&r2=1.38

SGI has released an advisory 20050403-01-U including updated SGI ProPack 3 Service Pack 4 packages to address this issue. Please see the referenced advisory for more information.

Gentoo has released an advisory (GLSA 200503-20) and an updated eBuild to address this vulnerability. Gentoo users are advised to apply the updates by issuing the following sequence of commands as a superuser:
emerge --sync
emerge --ask --oneshot --verbose ">=net-misc/curl-7.13.1"

Mandrake has released advisory MDKSA-2005:048 dealing with this issue. Please see the referenced advisory for more information.

SuSE has released summary report SUSE-SR:2005:006 mainly to address vulnerabilities described in other BIDs. However, in the addendum of this advisory, it is reported that fixes for the issues described in this BID are pending release. Customers are advised to see the referenced advisory for further information.

SuSE has released advisory SUSE-SA:2005:011 dealing with this issue. Please see the referenced advisory for more information.

Ubuntu Linux has released advisory USN-86-1 dealing with this issue. Please see the referenced advisory for more information.

Conectiva Linux has released advisory CLA-2005:940 along with fixes dealing with this issue. Please see the referenced advisory for more information.

ALT Linux has released updates dealing with this and other issues. Please see the reference section for more information.

Red Hat has released advisory RHSA-2005:340-09 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

F5 Networks BIG-IP and 3-DNS upgrades are available from the vendor. Please contact the vendor for more information.


Daniel Stenberg curl 6.5.1

Daniel Stenberg curl 6.5.2

Daniel Stenberg curl 7.1

Daniel Stenberg curl 7.1.1

Daniel Stenberg curl 7.10.1

Daniel Stenberg curl 7.10.3

Daniel Stenberg curl 7.10.4

Daniel Stenberg curl 7.10.5

Daniel Stenberg curl 7.10.6

Daniel Stenberg curl 7.10.7

Daniel Stenberg curl 7.11

Daniel Stenberg curl 7.11.1

Daniel Stenberg curl 7.12

Daniel Stenberg curl 7.12.1

Daniel Stenberg curl 7.13

Daniel Stenberg curl 7.2

Daniel Stenberg curl 7.2.1

Daniel Stenberg curl 7.3

Daniel Stenberg curl 7.4

Daniel Stenberg curl 7.4.1


 

Privacy Statement
Copyright 2010, SecurityFocus