FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

cURL -- inappropriate GSSAPI delegation

Affected packages
7.10.6 <= curl <= 7.21.6
7.10.6 <= linux-f10-curl <= 7.21.6

Details

VuXML ID 9aecb94c-c1ad-11e3-a5ac-001b21614864
Discovery 2011-06-23
Entry 2014-04-11
Modified 2014-04-30

cURL reports:

When doing GSSAPI authentication, libcurl unconditionally performs credential delegation. This hands the server a copy of the client's security credentials, allowing the server to impersonate the client to any other using the same GSSAPI mechanism.

References

CVE Name CVE-2011-2192
URL http://curl.haxx.se/docs/adv_20110623.html