Index: trunk/server/common/patches/curl-gssapi-delegation.patch =================================================================== --- trunk/server/common/patches/curl-gssapi-delegation.patch (revision 1922) +++ trunk/server/common/patches/curl-gssapi-delegation.patch (revision 1922) @@ -0,0 +1,28 @@ +From a4be0864ba953b3317ece66bf8c2332ea74a4715 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 8 Jun 2011 00:10:26 +0200 +Subject: [PATCH] Curl_input_negotiate: do not delegate credentials + +This is a security flaw. See curl advisory 201106xx for details. + +Reported by: Richard Silverman +--- + lib/http_negotiate.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index 202d69e..5127e64 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -243,7 +243,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, + &neg_ctx->context, + neg_ctx->server_name, + GSS_C_NO_OID, +- GSS_C_DELEG_FLAG, ++ 0, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &input_token, +-- +1.7.5.3 + Index: trunk/server/fedora/Makefile =================================================================== --- trunk/server/fedora/Makefile (revision 1919) +++ trunk/server/fedora/Makefile (revision 1922) @@ -19,5 +19,5 @@ # See /COPYRIGHT in this repository for more information. -upstream_yum = krb5 krb5.i686 httpd openssh +upstream_yum = krb5 krb5.i686 httpd openssh curl hackage = MonadCatchIO-mtl-0.3.0.1 cgi-3001.1.8.1 unix-handle-0.0.0 upstream_hackage = ghc-MonadCatchIO-mtl ghc-cgi ghc-unix-handle Index: trunk/server/fedora/specs/curl.spec.patch =================================================================== --- trunk/server/fedora/specs/curl.spec.patch (revision 1922) +++ trunk/server/fedora/specs/curl.spec.patch (revision 1922) @@ -0,0 +1,40 @@ +--- /tmp/t/curl.spec 2011-07-01 10:50:07.000000000 -0400 ++++ /tmp/t/curl.spec 2011-07-01 10:50:46.000000000 -0400 +@@ -1,7 +1,7 @@ + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) + Name: curl + Version: 7.20.1 +-Release: 5%{?dist} ++Release: 5.scripts.%{scriptsversion}%{?dist} + License: MIT + Group: Applications/Internet + Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma +@@ -90,6 +90,9 @@ + # workaround for broken applications using curl multi (#599340) + Patch108: 0108-curl-7.20.1-threaded-dns-multi.patch + ++# disable credential delegation over Negotiate (CVE-2011-2192) ++Patch1000: curl-gssapi-delegation.patch ++ + Provides: webclient + URL: http://curl.haxx.se/ + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +@@ -190,6 +193,7 @@ + %patch105 -p1 + %patch106 -p1 + %patch108 -p1 ++%patch1000 -p1 + + # other patches + %patch15 -p1 +@@ -289,6 +293,10 @@ + %{_datadir}/aclocal/libcurl.m4 + + %changelog ++* Fri Jul 01 2011 Geoffrey Thomas 7.20.1-5.scripts.r1922 ++- disable credential delegation over Negotiate (CVE-2011-2192) ++ Patch from upstream: http://curl.haxx.se/docs/adv_20110623.html ++ + * Fri Nov 26 2010 Kamil Dudka 7.20.1-5 + - do not send QUIT to a dead FTP control connection (#650255) + - prevent FTP client from hanging on unrecognized ABOR response (#649347)