USN-726-2 -- curl regressionID: oval:org.secpod.oval:def:700287 | Date: (C)2011-05-13 (M)2021-06-02 |
Class: PATCH | Family: unix |
USN-726-1 fixed a vulnerability in curl. Due to an incomplete fix, a regression was introduced in Ubuntu 8.10 that caused certain types of URLs to fail. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that curl did not enforce any restrictions when following URL redirects. If a user or automated system were tricked into opening a URL to an untrusted server, an attacker could use redirects to gain access to abitrary files. This update changes curl behavior to prevent following "file" URLs after a redirect.