Issued:

2011-05-19

Updated:

2011-05-19

RHBA-2011:0573 - curl bug fix update

Synopsis

curl bug fix update

Type/Severity

Bug Fix Advisory (none)

Topic

Updated curl packages that fix bugs in HTTPS, FTP, LDAP and proxy kerberos authentication are now available.

Description

cURL is a tool for getting files from HTTP, FTP, FILE, LDAP, LDAPS, DICT, TELNET and TFTP servers, using any of the supported protocols. cURL is designed to work without user interaction or any kind of interactivity. cURL offers many useful capabilities, like proxy support, user authentication, FTP upload, HTTP post, and file transfer resume.

This update fixes the following bugs:

• libcurl introduced a segfault where a RHEL 6.1 machine registered at RHN would result in a segmentation fault (core dumped) after running "yum clean all" and "yum update" respectively. "CERT_GetDefaultCertDB" is now used to prevent a segmentation fault after the "yum clean all" and "yum update" sequence. (BZ#690273)

• libcurl HTTPS connections failed with a CURLE_OUT_OF_MEMORY error when given a certificate file name without a "/". This is now fixed to treat such a string as certificate nickname and if a file with the same name exists and libcurl runs in verbose mode, a warning is issued. The updated documentation now suggests to use the "./" prefix to load a file from the current directory. (BZ#623663)

• A rebuild operation for curl failed if the libnih-devel package was installed. This is now fixed to allow a rebuild whether libnih-devel is installed, not installed or has a broken installation. (BZ#669048)

• libcurl ignored the CA path provided in CURLOPT_CAPATH and consequently curl ignored the "--capath" argument provided. This is fixed so that libcurl now uses the value provided with the the "--capath" argument. (BZ#669702)

• libcurl leaked memory and eventually resulted in a failed NSS shutdown when more than one CA certificate was loaded. This is now fixed so that libcurl works as expected when more than one CA certificates is loaded. (BZ#670802)

• libcurl leaked memory when an SSL connection failed. This is now fixed to prevent the memory leak during an SSL connection failure. (BZ#678594)

• libcurl FTP protocol implementation was unable to handle server session timeouts correctly. This is now fixed so that libcurl drops the connection when a 421 timeout response is received. (BZ#651592)

• libcurl failed when an LDAP request was sent using curl through a HTTP proxy in tunnel mode (curl option "-p" or "--proxytunnel"). Curl tried to connect directly to the LDAP server via the proxy port and consequently failed. This is now fixed to allow libcurl LDAP connections through HTTP proxies to work as expected. (BZ#655134)

• libcurl was unable to authenticate http proxies via Kerberos. This is now fixed and libcurl can successfully authenticate http proxies via Kerberos. (BZ#625685)

• When libcurl connected a second time to an SSL server with the same server certificate, the server's certificate was not re-authenticated because libcurl confirmed authenticity before the first connection to the server. This is fixed by disabling the SSL cache when it is not verifying a certificate to force the verification of the certificate on the second use. (BZ#678580)

• Kerberos authentication was broken for reused curl handles, which prevented "git clone"' from working with Kerberos authenticated web servers. This is now fixed to allow "git clone" operations to successfully authenticate and carry out operations. (BZ#684892)

• It was not possible to use two distinct client certificates to connect two times in a row to the same SSL server. This is now fixed to allow two different client certifications to connect to the same SSL server. (BZ#694294)

Users of curl should upgrade to these updated packages, which contain back-ported patches to correct these issues. All running applications using libcurl must be restarted for the update to take effect.

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

Updated Packages

• curl-7.19.7-26.el6.x86_64.rpm
• libcurl-devel-7.19.7-26.el6.s390.rpm
• libcurl-devel-7.19.7-26.el6.i686.rpm
• curl-debuginfo-7.19.7-26.el6.ppc.rpm
• curl-debuginfo-7.19.7-26.el6.i686.rpm
• libcurl-7.19.7-26.el6.ppc.rpm
• libcurl-devel-7.19.7-26.el6.x86_64.rpm
• curl-debuginfo-7.19.7-26.el6.s390.rpm
• libcurl-7.19.7-26.el6.i686.rpm
• curl-debuginfo-7.19.7-26.el6.s390x.rpm
• curl-debuginfo-7.19.7-26.el6.x86_64.rpm
• libcurl-devel-7.19.7-26.el6.ppc64.rpm
• libcurl-devel-7.19.7-26.el6.ppc.rpm
• curl-7.19.7-26.el6.s390x.rpm
• libcurl-7.19.7-26.el6.s390.rpm
• curl-7.19.7-26.el6.i686.rpm
• curl-7.19.7-26.el6.src.rpm
• curl-debuginfo-7.19.7-26.el6.ppc64.rpm
• libcurl-7.19.7-26.el6.s390x.rpm
• libcurl-devel-7.19.7-26.el6.s390x.rpm
• libcurl-7.19.7-26.el6.x86_64.rpm
• libcurl-7.19.7-26.el6.ppc64.rpm
• curl-7.19.7-26.el6.ppc64.rpm

Fixes

• This content is not included.BZ - 623663
• This content is not included.BZ - 625685
• This content is not included.BZ - 651592
• This content is not included.BZ - 655134
• This content is not included.BZ - 669048
• This content is not included.BZ - 669702
• This content is not included.BZ - 670802
• This content is not included.BZ - 678580
• This content is not included.BZ - 678594
• This content is not included.BZ - 684892
• This content is not included.BZ - 694294

CVEs

(none)

References

(none)

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.