Description of problem: When doing GSSAPI authentication, libcurl unconditionally performs credential delegation. This hands the server a copy of the client's security credentials, allowing the server to impersonate the client to any other using the same GSSAPI mechanism. This is obviously a very sensitive operation, which should only be done when the user explicitly so directs. Issue is discussed in detail at the above link. Mitre has issued CVE-2011-2192 for this issue. Version-Release number of selected component (if applicable): 7.21.5-1mga1 How reproducible: N/A Patch: http://curl.haxx.se/curl-gssapi-delegation.patch If would be good to address bug 1813 and the other open curl bugs in the same update. Possible update release text: Richard Silverman discovered a security issue with curl's GSSAPI authentication, where the client hands the server a copy of the client credentials. While there are no known exploits at this time, updated packages have corrected the issue. This issue has been reserved the CVE identifier of CVE-2011-2192 at http://cve.mitre.org.
Bug 1910, curl too.
CC: (none) => boklmDepends on: (none) => 1813, 1910
Package curl-7.21.5-1.1.mga1 submitted to updates_testing repository should fix this issue, and bugs #1910 and #1813.
Status: NEW => ASSIGNEDAssignee: bugsquad => qa-bugs
Package moved to updates.
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
CC: boklm => (none)