Scientific Linux Security Update : curl on SL3.x, SL4.x, SL5.x i386/x86_64
Medium Nessus Plugin ID 60548
SynopsisThe remote Scientific Linux host is missing one or more security updates.
DescriptionDavid Kierznowski discovered a flaw in libcurl where it would not differentiate between different target URLs when handling automatic redirects. This caused libcurl to follow any new URL that it understood, including the 'file://' URL type. This could allow a remote server to force a local libcurl-using application to read a local file instead of the remote one, possibly exposing local files that were not meant to be exposed. (CVE-2009-0037)
Note: Applications using libcurl that are expected to follow redirects to 'file://' protocol must now explicitly call curl_easy_setopt(3) and set the newly introduced CURLOPT_REDIR_PROTOCOLS option as required.
All running applications using libcurl must be restarted for the update to take effect.
SolutionUpdate the affected curl and / or curl-devel packages.