An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1675 Final 1.0 1.0 2022-05-28 Initial 2022-05-28 2022-05-28 openEuler SA Tool V1.0 2022-05-28 curl security update An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols. Security Fix(es): libcurl would reuse a previously created connection even when a TLS or SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several TLS and SSH settings were left out from the configuration match checks, making them match too easily.(CVE-2022-27782) A vulnerability was found in curl. This issue occurs due to an erroneous function. A malicious server could make curl within Network Security Services (NSS) get stuck in a never-ending busy loop when trying to retrieve that information. This flaw allows an Infinite Loop, affecting system availability.(CVE-2022-27781) An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium curl https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1675 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-27782 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-27781 https://nvd.nist.gov/vuln/detail/CVE-2022-27782 https://nvd.nist.gov/vuln/detail/CVE-2022-27781 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS curl-7.71.1-14.oe1.aarch64.rpm curl-debugsource-7.71.1-14.oe1.aarch64.rpm curl-debuginfo-7.71.1-14.oe1.aarch64.rpm libcurl-7.71.1-14.oe1.aarch64.rpm libcurl-devel-7.71.1-14.oe1.aarch64.rpm curl-7.71.1-14.oe1.aarch64.rpm curl-debugsource-7.71.1-14.oe1.aarch64.rpm curl-debuginfo-7.71.1-14.oe1.aarch64.rpm libcurl-7.71.1-14.oe1.aarch64.rpm libcurl-devel-7.71.1-14.oe1.aarch64.rpm curl-7.79.1-6.oe2203.aarch64.rpm curl-debugsource-7.79.1-6.oe2203.aarch64.rpm curl-debuginfo-7.79.1-6.oe2203.aarch64.rpm libcurl-7.79.1-6.oe2203.aarch64.rpm libcurl-devel-7.79.1-6.oe2203.aarch64.rpm curl-help-7.71.1-14.oe1.noarch.rpm curl-help-7.71.1-14.oe1.noarch.rpm curl-help-7.79.1-6.oe2203.noarch.rpm curl-7.71.1-14.oe1.src.rpm curl-7.71.1-14.oe1.src.rpm curl-7.79.1-6.oe2203.src.rpm curl-7.71.1-14.oe1.x86_64.rpm curl-debugsource-7.71.1-14.oe1.x86_64.rpm curl-debuginfo-7.71.1-14.oe1.x86_64.rpm libcurl-7.71.1-14.oe1.x86_64.rpm libcurl-devel-7.71.1-14.oe1.x86_64.rpm curl-7.71.1-14.oe1.x86_64.rpm curl-debugsource-7.71.1-14.oe1.x86_64.rpm curl-debuginfo-7.71.1-14.oe1.x86_64.rpm libcurl-7.71.1-14.oe1.x86_64.rpm libcurl-devel-7.71.1-14.oe1.x86_64.rpm curl-7.79.1-6.oe2203.x86_64.rpm curl-debugsource-7.79.1-6.oe2203.x86_64.rpm curl-debuginfo-7.79.1-6.oe2203.x86_64.rpm libcurl-7.79.1-6.oe2203.x86_64.rpm libcurl-devel-7.79.1-6.oe2203.x86_64.rpm libcurl would reuse a previously created connection even when a TLS or SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several TLS and SSH settings were left out from the configuration match checks, making them match too easily. 2022-05-28 CVE-2022-27782 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 6.0 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L curl security update 2022-05-28 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1675 A vulnerability was found in curl. This issue occurs due to an erroneous function. A malicious server could make curl within Network Security Services (NSS) get stuck in a never-ending busy loop when trying to retrieve that information. This flaw allows an Infinite Loop, affecting system availability. 2022-05-28 CVE-2022-27781 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS Medium 5.3 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H curl security update 2022-05-28 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1675