source: tags/fc13-eol/server/common/patches/curl-gssapi-delegation.patch

Last change on this file was 1922, checked in by geofft, 12 years ago
Patch curl for CVE-2011-2192: do not delegate tickets over HTTP
File size: 1.0 KB

  • lib/http_negotiate.c 

    From a4be0864ba953b3317ece66bf8c2332ea74a4715 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 8 Jun 2011 00:10:26 +0200
Subject: [PATCH] Curl_input_negotiate: do not delegate credentials

This is a security flaw. See curl advisory 201106xx for details.

Reported by: Richard Silverman
---
 lib/http_negotiate.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
index 202d69e..5127e64 100644
    a b int Curl_input_negotiate(struct connectdata *conn, bool proxy, 
    243243                                      &neg_ctx->context,
    244244                                      neg_ctx->server_name,
    245245                                      GSS_C_NO_OID,
    246                                       GSS_C_DELEG_FLAG,
     246                                      0,
    247247                                      0,
    248248                                      GSS_C_NO_CHANNEL_BINDINGS,
    249249                                      &input_token,
Note: See TracBrowser for help on using the repository browser.