icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons

cURL/libcURL GSS/Negotiate Feature Spoofing Security Vulnerability

High

Synopsis

The cURL program is a library and command-line tool for transferring data using various protocols, including HTTP, FTP, and LDAP. A vulnerable version of cURL was detected from the host.

Description

It was reported that the application always performs credential delegation when authenticating with GSSAPI. A rouge server could use this flaw to obtain the client's credentials and impersonate that client to other servers that are using GSSAPI. (CVE-2011-2192)

Affected versions include versions 7.10.6 through 7.21.6.

Solution

Upgrade the affected packages; the next version of cURL that fixes the issue is cURL 7.21.7.