An update for curl is now available for openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-2041 Final 1.0 1.0 2022-11-04 Initial 2022-11-04 2022-11-04 openEuler SA Tool V1.0 2022-11-04 curl security update An update for curl is now available for openEuler-22.03-LTS. CURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols. Security Fix(es): curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0.(CVE-2022-42915) A vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set if it previously used the same handle to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request.(CVE-2022-32221) In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step) even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.). The earliest affected version is 7.77.0 2021-05-26.(CVE-2022-42916) An update for curl is now available for openEuler-22.03-LTS. openGauss Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High curl https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2041 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-42915 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-32221 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-42916 https://nvd.nist.gov/vuln/detail/CVE-2022-42915 https://nvd.nist.gov/vuln/detail/CVE-2022-32221 https://nvd.nist.gov/vuln/detail/CVE-2022-42916 openEuler-22.03-LTS curl-7.79.1-12.oe2203.aarch64.rpm libcurl-devel-7.79.1-12.oe2203.aarch64.rpm curl-debuginfo-7.79.1-12.oe2203.aarch64.rpm libcurl-7.79.1-12.oe2203.aarch64.rpm curl-debugsource-7.79.1-12.oe2203.aarch64.rpm curl-help-7.79.1-12.oe2203.noarch.rpm curl-7.79.1-12.oe2203.src.rpm curl-debugsource-7.79.1-12.oe2203.x86_64.rpm libcurl-7.79.1-12.oe2203.x86_64.rpm libcurl-devel-7.79.1-12.oe2203.x86_64.rpm curl-debuginfo-7.79.1-12.oe2203.x86_64.rpm curl-7.79.1-12.oe2203.x86_64.rpm A vulnerability was found in curl. The issue occurs if curl is told to use an HTTP proxy for a transfer with a non-HTTP(S) URL. It sets up the connection to the remote server by issuing a `CONNECT` request to the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200 response code to the client. Due to flaws in the error/cleanup handling, this could trigger a double-free issue in curl if using one of the following schemes in the URL for the transfer: `dict,` `gopher,` `gophers,` `ldap`, `ldaps`, `rtmp`, `rtmps`, `telnet.` 2022-11-04 CVE-2022-42915 openEuler-22.03-LTS High 7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L curl security update 2022-11-04 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2041 A vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set if it previously used the same handle to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. 2022-11-04 CVE-2022-32221 openEuler-22.03-LTS Medium 4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N curl security update 2022-11-04 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2041 A vulnerability was found in curl. The issue occurs because curl s HSTS check can be bypassed to trick it to keep using HTTP. Using its HSTS support, it can instruct curl to use HTTPS directly instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism can be bypassed if the hostname in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E) `.`. 2022-11-04 CVE-2022-42916 openEuler-22.03-LTS Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N curl security update 2022-11-04 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-2041