Security Advisory Moderate: curl security update

Advisory: RHSA-2017:0847-1
Type: Security Advisory
Severity: Moderate
Issued on: 2017-03-29
Last updated on: 2017-03-29
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2017-2628

Details

An update for curl is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

The curl packages provide the libcurl library and the curl utility for
downloading files from servers using various protocols, including HTTP, FTP, and
LDAP.

Security Fix(es):

* It was found that the fix for CVE-2015-3148 in curl was incomplete. An
application using libcurl with HTTP Negotiate authentication could incorrectly
re-use credentials for subsequent requests to the same server. (CVE-2017-2628)

This issue was discovered by Paulo Andrade (Red Hat).


Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
curl-7.19.7-53.el6_9.src.rpm     MD5: a03ed60d85983be97dc686f93f52d985
SHA-256: 486e87605279ecf69e97a589f04d5cb857265241ec5f160719573ebe51f33ba2
 
IA-32:
curl-7.19.7-53.el6_9.i686.rpm     MD5: 42764c699703583751a8b2c788353694
SHA-256: f54205a742a9e2122d3478722fa7385f62f8c6dd5b14095a2ba5b39842e84c00
curl-debuginfo-7.19.7-53.el6_9.i686.rpm     MD5: 5a840a7c7df6d56d51c9d14135bedcd1
SHA-256: fb71780c68c69472aec9cd35389c1915dd3096e94ac11ba0e4aef531bebd03b7
libcurl-7.19.7-53.el6_9.i686.rpm     MD5: b7ddf8b3a58b9cb462cf2e4b8ee5e1b5
SHA-256: 54034d55b09893998b2c2329cd94bd0e909b68164cfc71d682b7e7b4bb4fc17d
libcurl-devel-7.19.7-53.el6_9.i686.rpm     MD5: 224cdf0c35f5f0105dc984d2d4e2452c
SHA-256: 456e348a6387ce2f671fa9f1a51e55779d180177a075ab0ce901c5747ce99164
 
x86_64:
curl-7.19.7-53.el6_9.x86_64.rpm     MD5: 83b95773232904a81991c20467497505
SHA-256: eb8f6bf295264203e143cc7d13d5986cda3527a59d15821947f0fd72935bcf99
curl-debuginfo-7.19.7-53.el6_9.i686.rpm     MD5: 5a840a7c7df6d56d51c9d14135bedcd1
SHA-256: fb71780c68c69472aec9cd35389c1915dd3096e94ac11ba0e4aef531bebd03b7
curl-debuginfo-7.19.7-53.el6_9.x86_64.rpm     MD5: 84a8d761d5511a87286a712549b2fbc7
SHA-256: 6ce627ab036ee8383794ad090668016b09399c1d7255e1b102ceb35488f28667
libcurl-7.19.7-53.el6_9.i686.rpm     MD5: b7ddf8b3a58b9cb462cf2e4b8ee5e1b5
SHA-256: 54034d55b09893998b2c2329cd94bd0e909b68164cfc71d682b7e7b4bb4fc17d
libcurl-7.19.7-53.el6_9.x86_64.rpm     MD5: 81133185eb63e963fc4095116c4337f9
SHA-256: c1dd39936707ddb865074db78adf97271c35464bdeb14b722f6774b747da5754
libcurl-devel-7.19.7-53.el6_9.i686.rpm     MD5: 224cdf0c35f5f0105dc984d2d4e2452c
SHA-256: 456e348a6387ce2f671fa9f1a51e55779d180177a075ab0ce901c5747ce99164
libcurl-devel-7.19.7-53.el6_9.x86_64.rpm     MD5: c8246fa6ee067714950eb0ff90ec09fa
SHA-256: d9879351fd5fd62d439e7d094fdba6458b47a46198da5a4eb0aec44f92cc80da
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
curl-7.19.7-53.el6_9.src.rpm     MD5: a03ed60d85983be97dc686f93f52d985
SHA-256: 486e87605279ecf69e97a589f04d5cb857265241ec5f160719573ebe51f33ba2
 
x86_64:
curl-7.19.7-53.el6_9.x86_64.rpm     MD5: 83b95773232904a81991c20467497505
SHA-256: eb8f6bf295264203e143cc7d13d5986cda3527a59d15821947f0fd72935bcf99
curl-debuginfo-7.19.7-53.el6_9.i686.rpm     MD5: 5a840a7c7df6d56d51c9d14135bedcd1
SHA-256: fb71780c68c69472aec9cd35389c1915dd3096e94ac11ba0e4aef531bebd03b7
curl-debuginfo-7.19.7-53.el6_9.x86_64.rpm     MD5: 84a8d761d5511a87286a712549b2fbc7
SHA-256: 6ce627ab036ee8383794ad090668016b09399c1d7255e1b102ceb35488f28667
libcurl-7.19.7-53.el6_9.i686.rpm     MD5: b7ddf8b3a58b9cb462cf2e4b8ee5e1b5
SHA-256: 54034d55b09893998b2c2329cd94bd0e909b68164cfc71d682b7e7b4bb4fc17d
libcurl-7.19.7-53.el6_9.x86_64.rpm     MD5: 81133185eb63e963fc4095116c4337f9
SHA-256: c1dd39936707ddb865074db78adf97271c35464bdeb14b722f6774b747da5754
libcurl-devel-7.19.7-53.el6_9.i686.rpm     MD5: 224cdf0c35f5f0105dc984d2d4e2452c
SHA-256: 456e348a6387ce2f671fa9f1a51e55779d180177a075ab0ce901c5747ce99164
libcurl-devel-7.19.7-53.el6_9.x86_64.rpm     MD5: c8246fa6ee067714950eb0ff90ec09fa
SHA-256: d9879351fd5fd62d439e7d094fdba6458b47a46198da5a4eb0aec44f92cc80da
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
curl-7.19.7-53.el6_9.src.rpm     MD5: a03ed60d85983be97dc686f93f52d985
SHA-256: 486e87605279ecf69e97a589f04d5cb857265241ec5f160719573ebe51f33ba2
 
IA-32:
curl-7.19.7-53.el6_9.i686.rpm     MD5: 42764c699703583751a8b2c788353694
SHA-256: f54205a742a9e2122d3478722fa7385f62f8c6dd5b14095a2ba5b39842e84c00
curl-debuginfo-7.19.7-53.el6_9.i686.rpm     MD5: 5a840a7c7df6d56d51c9d14135bedcd1
SHA-256: fb71780c68c69472aec9cd35389c1915dd3096e94ac11ba0e4aef531bebd03b7
libcurl-7.19.7-53.el6_9.i686.rpm     MD5: b7ddf8b3a58b9cb462cf2e4b8ee5e1b5
SHA-256: 54034d55b09893998b2c2329cd94bd0e909b68164cfc71d682b7e7b4bb4fc17d
libcurl-devel-7.19.7-53.el6_9.i686.rpm     MD5: 224cdf0c35f5f0105dc984d2d4e2452c
SHA-256: 456e348a6387ce2f671fa9f1a51e55779d180177a075ab0ce901c5747ce99164
 
PPC:
curl-7.19.7-53.el6_9.ppc64.rpm     MD5: 66017ecd160a0b0a31466fcd705bca5a
SHA-256: 12d20073a50dbba26f52e2a98654043a96ed455486619a97c2abe691ce419f48
curl-debuginfo-7.19.7-53.el6_9.ppc.rpm     MD5: 2e7db889d1aeaa299eca778bdcdce421
SHA-256: 374477002c1a53314a6a1a340b2df78332ca23af0cd4aa8ad41da5a61d5e331d
curl-debuginfo-7.19.7-53.el6_9.ppc64.rpm     MD5: b0a34e2af89a252b9675611117afbed5
SHA-256: fec040e051a863526d6f921ea6073e299b2018cdffde92cdb2d20117ebf194df
libcurl-7.19.7-53.el6_9.ppc.rpm     MD5: aefa4ab8ea77602d2b6ed0b6404116fa
SHA-256: 26fa4a9b7ce1944cc94291944fcbd5e5723d7bbef3d315057ac8063a006f341f
libcurl-7.19.7-53.el6_9.ppc64.rpm     MD5: a7c16d7f28d2e70c3364c4aa55558d08
SHA-256: 22dd95d7f0c84ad015e6d5f1f1650dcc042703ff3872fb87fe1da9afdf2aa4a0
libcurl-devel-7.19.7-53.el6_9.ppc.rpm     MD5: b96bdd3ca9bdfd69464ba162dfe8ece0
SHA-256: 232726101edd67d7512b126d2eacaed2a2f10a768aa02ca3d6108635efcb4b19
libcurl-devel-7.19.7-53.el6_9.ppc64.rpm     MD5: b20ee7b655143eff30ee33a61770e6ec
SHA-256: 08c9942274f13d29581a413b8fed6ac4cce9658836561e4dfbdfe459b2b72176
 
s390x:
curl-7.19.7-53.el6_9.s390x.rpm     MD5: 34b6d488c6d8e382602d72fb64a6297d
SHA-256: 493ac86bec4b1b05b43932b6036f985a9a39b1d8632c90a0a3a5dc29577da179
curl-debuginfo-7.19.7-53.el6_9.s390.rpm     MD5: 3c16a6d884339a4dfbd522b4f4dbf2ca
SHA-256: fd8e58cd3b2199f10cbeda0f46c2c05c30ceaefd609ef8e02baf675409d71f8c
curl-debuginfo-7.19.7-53.el6_9.s390x.rpm     MD5: f6788a766720c1465bab3deddfb3f468
SHA-256: 4cc1edaefb3006b8516cb6f9941ca66acbf40588f7842845246a158a9dd9f88d
libcurl-7.19.7-53.el6_9.s390.rpm     MD5: 235aab108256438a762daf31f51f2758
SHA-256: da441d7c7ed99413c007fda50ea41797b676e5733989b7c3ac560cf7b7ee7691
libcurl-7.19.7-53.el6_9.s390x.rpm     MD5: 8ce36c8a1cb9ae0a2fd42d6e7d231458
SHA-256: 17dbb359fc7526b5176555c4fa2d562204e0d5336bf7544c3a059e376c125fb8
libcurl-devel-7.19.7-53.el6_9.s390.rpm     MD5: 28c6f0190b678077f18e5b3dce83b703
SHA-256: c13b0f9634a1f12af9ac90ddbbebde34dfbe13c11c5e7c6e7757e9f8b09984f8
libcurl-devel-7.19.7-53.el6_9.s390x.rpm     MD5: 824c41e8cc0725aee0d0dd38fe73f1e3
SHA-256: 0f5e26211b500ebfbb92cb34c9c65536af832a116c80210e6404be31100a3742
 
x86_64:
curl-7.19.7-53.el6_9.x86_64.rpm     MD5: 83b95773232904a81991c20467497505
SHA-256: eb8f6bf295264203e143cc7d13d5986cda3527a59d15821947f0fd72935bcf99
curl-debuginfo-7.19.7-53.el6_9.i686.rpm     MD5: 5a840a7c7df6d56d51c9d14135bedcd1
SHA-256: fb71780c68c69472aec9cd35389c1915dd3096e94ac11ba0e4aef531bebd03b7
curl-debuginfo-7.19.7-53.el6_9.x86_64.rpm     MD5: 84a8d761d5511a87286a712549b2fbc7
SHA-256: 6ce627ab036ee8383794ad090668016b09399c1d7255e1b102ceb35488f28667
libcurl-7.19.7-53.el6_9.i686.rpm     MD5: b7ddf8b3a58b9cb462cf2e4b8ee5e1b5
SHA-256: 54034d55b09893998b2c2329cd94bd0e909b68164cfc71d682b7e7b4bb4fc17d
libcurl-7.19.7-53.el6_9.x86_64.rpm     MD5: 81133185eb63e963fc4095116c4337f9
SHA-256: c1dd39936707ddb865074db78adf97271c35464bdeb14b722f6774b747da5754
libcurl-devel-7.19.7-53.el6_9.i686.rpm     MD5: 224cdf0c35f5f0105dc984d2d4e2452c
SHA-256: 456e348a6387ce2f671fa9f1a51e55779d180177a075ab0ce901c5747ce99164
libcurl-devel-7.19.7-53.el6_9.x86_64.rpm     MD5: c8246fa6ee067714950eb0ff90ec09fa
SHA-256: d9879351fd5fd62d439e7d094fdba6458b47a46198da5a4eb0aec44f92cc80da
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
curl-7.19.7-53.el6_9.src.rpm     MD5: a03ed60d85983be97dc686f93f52d985
SHA-256: 486e87605279ecf69e97a589f04d5cb857265241ec5f160719573ebe51f33ba2
 
IA-32:
curl-7.19.7-53.el6_9.i686.rpm     MD5: 42764c699703583751a8b2c788353694
SHA-256: f54205a742a9e2122d3478722fa7385f62f8c6dd5b14095a2ba5b39842e84c00
curl-debuginfo-7.19.7-53.el6_9.i686.rpm     MD5: 5a840a7c7df6d56d51c9d14135bedcd1
SHA-256: fb71780c68c69472aec9cd35389c1915dd3096e94ac11ba0e4aef531bebd03b7
libcurl-7.19.7-53.el6_9.i686.rpm     MD5: b7ddf8b3a58b9cb462cf2e4b8ee5e1b5
SHA-256: 54034d55b09893998b2c2329cd94bd0e909b68164cfc71d682b7e7b4bb4fc17d
libcurl-devel-7.19.7-53.el6_9.i686.rpm     MD5: 224cdf0c35f5f0105dc984d2d4e2452c
SHA-256: 456e348a6387ce2f671fa9f1a51e55779d180177a075ab0ce901c5747ce99164
 
x86_64:
curl-7.19.7-53.el6_9.x86_64.rpm     MD5: 83b95773232904a81991c20467497505
SHA-256: eb8f6bf295264203e143cc7d13d5986cda3527a59d15821947f0fd72935bcf99
curl-debuginfo-7.19.7-53.el6_9.i686.rpm     MD5: 5a840a7c7df6d56d51c9d14135bedcd1
SHA-256: fb71780c68c69472aec9cd35389c1915dd3096e94ac11ba0e4aef531bebd03b7
curl-debuginfo-7.19.7-53.el6_9.x86_64.rpm     MD5: 84a8d761d5511a87286a712549b2fbc7
SHA-256: 6ce627ab036ee8383794ad090668016b09399c1d7255e1b102ceb35488f28667
libcurl-7.19.7-53.el6_9.i686.rpm     MD5: b7ddf8b3a58b9cb462cf2e4b8ee5e1b5
SHA-256: 54034d55b09893998b2c2329cd94bd0e909b68164cfc71d682b7e7b4bb4fc17d
libcurl-7.19.7-53.el6_9.x86_64.rpm     MD5: 81133185eb63e963fc4095116c4337f9
SHA-256: c1dd39936707ddb865074db78adf97271c35464bdeb14b722f6774b747da5754
libcurl-devel-7.19.7-53.el6_9.i686.rpm     MD5: 224cdf0c35f5f0105dc984d2d4e2452c
SHA-256: 456e348a6387ce2f671fa9f1a51e55779d180177a075ab0ce901c5747ce99164
libcurl-devel-7.19.7-53.el6_9.x86_64.rpm     MD5: c8246fa6ee067714950eb0ff90ec09fa
SHA-256: d9879351fd5fd62d439e7d094fdba6458b47a46198da5a4eb0aec44f92cc80da
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1422464 - CVE-2017-2628 curl: negotiate not treated as connection-oriented (incomplete fix for CVE-2015-3148)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/