An update for curl is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1659 Final 1.0 1.0 2022-05-18 Initial 2022-05-18 2022-05-18 openEuler SA Tool V1.0 2022-05-18 curl security update An update for curl is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols. Security Fix(es): This security flaw in curl allows to reuse an OAUTH2 authenticated connection without properly ensuring that the connection is authenticated with the same credentials set by this transport, this issue can lead to authentication bypasses, either by mistake or by malicious actors.(CVE-2022-22576) When asked, curl does an HTTP(S) redirect. curl also supports authentication. When providing a user and password for a URL with a given hostname, curl makes an effort not to pass these credentials to other hosts in redirects unless permissions with special options are granted. This "same host check" has been flawed since its introduction. It does not work with cross-protocol redirection, nor does it treat different port numbers as separate hosts. This results in leaking credentials to other servers when curl redirects from authentication protected HTTP(S) URLs to other protocols and port numbers. It could also leak TLS SRP credentials in this way. By default, curl only allows redirects to HTTP(S) and FTP(S), but you can ask to allow redirects to all curl-supported protocols.(CVE-2022-27774) This issue with curl occurs due to a logical bug where the configuration matching function does not take into account the IPv6 address zone id, which can cause curl to reuse the wrong connection when one transfer uses the zone id and subsequent transfers use another.(CVE-2022-27775) This security flaw in curl allows leaking authentication or cookie header data over HTTP to redirect to the same host but a different port number, for applications passing custom Authorization: or Cookie: headers to the same set of headers Sending to servers on different port numbers is a problem, and these headers often contain privacy-sensitive information or data.(CVE-2022-27776) An update for curl is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium curl https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1659 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-22576 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-27774 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-27775 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-27776 https://nvd.nist.gov/vuln/detail/CVE-2022-22576 https://nvd.nist.gov/vuln/detail/CVE-2022-27774 https://nvd.nist.gov/vuln/detail/CVE-2022-27775 https://nvd.nist.gov/vuln/detail/CVE-2022-27776 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS curl-7.71.1-13.oe1.aarch64.rpm curl-debuginfo-7.71.1-13.oe1.aarch64.rpm curl-debugsource-7.71.1-13.oe1.aarch64.rpm libcurl-7.71.1-13.oe1.aarch64.rpm libcurl-devel-7.71.1-13.oe1.aarch64.rpm curl-7.71.1-13.oe1.aarch64.rpm curl-debuginfo-7.71.1-13.oe1.aarch64.rpm curl-debugsource-7.71.1-13.oe1.aarch64.rpm libcurl-7.71.1-13.oe1.aarch64.rpm libcurl-devel-7.71.1-13.oe1.aarch64.rpm curl-7.79.1-4.oe2203.aarch64.rpm curl-debuginfo-7.79.1-4.oe2203.aarch64.rpm curl-debugsource-7.79.1-4.oe2203.aarch64.rpm libcurl-7.79.1-4.oe2203.aarch64.rpm libcurl-devel-7.79.1-4.oe2203.aarch64.rpm curl-7.71.1-13.oe1.src.rpm curl-7.71.1-13.oe1.src.rpm curl-7.79.1-4.oe2203.src.rpm curl-help-7.71.1-13.oe1.noarch.rpm curl-help-7.71.1-13.oe1.noarch.rpm curl-help-7.79.1-4.oe2203.noarch.rpm curl-7.71.1-13.oe1.x86_64.rpm curl-debuginfo-7.71.1-13.oe1.x86_64.rpm curl-debugsource-7.71.1-13.oe1.x86_64.rpm libcurl-7.71.1-13.oe1.x86_64.rpm libcurl-devel-7.71.1-13.oe1.x86_64.rpm curl-7.71.1-13.oe1.x86_64.rpm curl-debuginfo-7.71.1-13.oe1.x86_64.rpm curl-debugsource-7.71.1-13.oe1.x86_64.rpm libcurl-7.71.1-13.oe1.x86_64.rpm libcurl-devel-7.71.1-13.oe1.x86_64.rpm curl-7.79.1-4.oe2203.x86_64.rpm curl-debuginfo-7.79.1-4.oe2203.x86_64.rpm curl-debugsource-7.79.1-4.oe2203.x86_64.rpm libcurl-7.79.1-4.oe2203.x86_64.rpm libcurl-devel-7.79.1-4.oe2203.x86_64.rpm This security flaw in curl allows to reuse an OAUTH2 authenticated connection without properly ensuring that the connection is authenticated with the same credentials set by this transport, this issue can lead to authentication bypasses, either by mistake or by malicious actors. 2022-05-18 CVE-2022-22576 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Low 4.6 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N curl security update 2022-05-18 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1659 When asked, curl does an HTTP(S) redirect. curl also supports authentication. When providing a user and password for a URL with a given hostname, curl makes an effort not to pass these credentials to other hosts in redirects unless permissions with special options are granted. This "same host check" has been flawed since its introduction. It does not work with cross-protocol redirection, nor does it treat different port numbers as separate hosts. This results in leaking credentials to other servers when curl redirects from authentication protected HTTP(S) URLs to other protocols and port numbers. It could also leak TLS SRP credentials in this way. By default, curl only allows redirects to HTTP(S) and FTP(S), but you can ask to allow redirects to all curl-supported protocols. 2022-05-18 CVE-2022-27774 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 5.0 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L curl security update 2022-05-18 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1659 This issue with curl occurs due to a logical bug where the configuration matching function does not take into account the IPv6 address zone id, which can cause curl to reuse the wrong connection when one transfer uses the zone id and subsequent transfers use another. 2022-05-18 CVE-2022-27775 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Low 2.6 AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N curl security update 2022-05-18 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1659 This security flaw in curl allows leaking authentication or cookie header data over HTTP to redirect to the same host but a different port number, for applications passing custom Authorization: or Cookie: headers to the same set of headers Sending to servers on different port numbers is a problem, and these headers often contain privacy-sensitive information or data. 2022-05-18 CVE-2022-27776 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Low 4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N curl security update 2022-05-18 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1659