177 lines
10 KiB
XML
177 lines
10 KiB
XML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
|
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
||
|
|
<DocumentTitle xml:lang="en">An update for curl is now available for openEuler-22.03-LTS-SP1</DocumentTitle>
|
||
|
|
<DocumentType>Security Advisory</DocumentType>
|
||
|
|
<DocumentPublisher Type="Vendor">
|
||
|
|
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
||
|
|
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
||
|
|
</DocumentPublisher>
|
||
|
|
<DocumentTracking>
|
||
|
|
<Identification>
|
||
|
|
<ID>openEuler-SA-2023-1125</ID>
|
||
|
|
</Identification>
|
||
|
|
<Status>Final</Status>
|
||
|
|
<Version>1.0</Version>
|
||
|
|
<RevisionHistory>
|
||
|
|
<Revision>
|
||
|
|
<Number>1.0</Number>
|
||
|
|
<Date>2023-02-24</Date>
|
||
|
|
<Description>Initial</Description>
|
||
|
|
</Revision>
|
||
|
|
</RevisionHistory>
|
||
|
|
<InitialReleaseDate>2023-02-24</InitialReleaseDate>
|
||
|
|
<CurrentReleaseDate>2023-02-24</CurrentReleaseDate>
|
||
|
|
<Generator>
|
||
|
|
<Engine>openEuler SA Tool V1.0</Engine>
|
||
|
|
<Date>2023-02-24</Date>
|
||
|
|
</Generator>
|
||
|
|
</DocumentTracking>
|
||
|
|
<DocumentNotes>
|
||
|
|
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">curl security update</Note>
|
||
|
|
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for curl is now available for openEuler-22.03-LTS-SP1.</Note>
|
||
|
|
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.
|
||
|
|
|
||
|
|
Security Fix(es):
|
||
|
|
|
||
|
|
A flaw was found in the Curl package, where the HSTS mechanism could fail when multiple transfers are done in parallel, as the HSTS cache file gets overwritten by the most recently completed transfer. This issue may result in limited confidentiality and integrity.(CVE-2023-23915)
|
||
|
|
|
||
|
|
A flaw was found in the Curl package, where the HSTS mechanism would be ignored by subsequent transfers when done on the same command line because the state would not be properly carried. This issue may result in limited confidentiality and integrity.(CVE-2023-23914)
|
||
|
|
|
||
|
|
curl supports "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.(CVE-2023-23916)</Note>
|
||
|
|
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for curl is now available for openEuler-22.03-LTS-SP1.
|
||
|
|
|
||
|
|
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
||
|
|
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Medium</Note>
|
||
|
|
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">curl</Note>
|
||
|
|
</DocumentNotes>
|
||
|
|
<DocumentReferences>
|
||
|
|
<Reference Type="Self">
|
||
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1125</URL>
|
||
|
|
</Reference>
|
||
|
|
<Reference Type="openEuler CVE">
|
||
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-23915</URL>
|
||
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-23914</URL>
|
||
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-23916</URL>
|
||
|
|
</Reference>
|
||
|
|
<Reference Type="Other">
|
||
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-23915</URL>
|
||
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-23914</URL>
|
||
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-23916</URL>
|
||
|
|
</Reference>
|
||
|
|
</DocumentReferences>
|
||
|
|
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
||
|
|
<Branch Type="Product Name" Name="openEuler">
|
||
|
|
<FullProductName ProductID="openEuler-22.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">openEuler-22.03-LTS-SP1</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
<Branch Type="Package Arch" Name="aarch64">
|
||
|
|
<FullProductName ProductID="curl-7.79.1-14" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">curl-7.79.1-14.oe2203sp1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="libcurl-7.79.1-14" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">libcurl-7.79.1-14.oe2203sp1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="curl-debuginfo-7.79.1-14" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">curl-debuginfo-7.79.1-14.oe2203sp1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="curl-debugsource-7.79.1-14" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">curl-debugsource-7.79.1-14.oe2203sp1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="libcurl-devel-7.79.1-14" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">libcurl-devel-7.79.1-14.oe2203sp1.aarch64.rpm</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
<Branch Type="Package Arch" Name="noarch">
|
||
|
|
<FullProductName ProductID="curl-help-7.79.1-14" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">curl-help-7.79.1-14.oe2203sp1.noarch.rpm</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
<Branch Type="Package Arch" Name="src">
|
||
|
|
<FullProductName ProductID="curl-7.79.1-14" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">curl-7.79.1-14.oe2203sp1.src.rpm</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
<Branch Type="Package Arch" Name="x86_64">
|
||
|
|
<FullProductName ProductID="curl-7.79.1-14" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">curl-7.79.1-14.oe2203sp1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="libcurl-7.79.1-14" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">libcurl-7.79.1-14.oe2203sp1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="curl-debugsource-7.79.1-14" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">curl-debugsource-7.79.1-14.oe2203sp1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="libcurl-devel-7.79.1-14" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">libcurl-devel-7.79.1-14.oe2203sp1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="curl-debuginfo-7.79.1-14" CPE="cpe:/a:openEuler:openEuler:22.03-LTS-SP1">curl-debuginfo-7.79.1-14.oe2203sp1.x86_64.rpm</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
</ProductTree>
|
||
|
|
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
|
|
<Notes>
|
||
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">A flaw was found in the Curl package, where the HSTS mechanism could fail when multiple transfers are done in parallel, as the HSTS cache file gets overwritten by the most recently completed transfer. This issue may result in limited confidentiality and integrity.</Note>
|
||
|
|
</Notes>
|
||
|
|
<ReleaseDate>2023-02-24</ReleaseDate>
|
||
|
|
<CVE>CVE-2023-23915</CVE>
|
||
|
|
<ProductStatuses>
|
||
|
|
<Status Type="Fixed">
|
||
|
|
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
||
|
|
</Status>
|
||
|
|
</ProductStatuses>
|
||
|
|
<Threats>
|
||
|
|
<Threat Type="Impact">
|
||
|
|
<Description>Medium</Description>
|
||
|
|
</Threat>
|
||
|
|
</Threats>
|
||
|
|
<CVSSScoreSets>
|
||
|
|
<ScoreSet>
|
||
|
|
<BaseScore>4.3</BaseScore>
|
||
|
|
<Vector>AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</Vector>
|
||
|
|
</ScoreSet>
|
||
|
|
</CVSSScoreSets>
|
||
|
|
<Remediations>
|
||
|
|
<Remediation Type="Vendor Fix">
|
||
|
|
<Description>curl security update</Description>
|
||
|
|
<DATE>2023-02-24</DATE>
|
||
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1125</URL>
|
||
|
|
</Remediation>
|
||
|
|
</Remediations>
|
||
|
|
</Vulnerability>
|
||
|
|
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
|
|
<Notes>
|
||
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">A flaw was found in the Curl package, where the HSTS mechanism would be ignored by subsequent transfers when done on the same command line because the state would not be properly carried. This issue may result in limited confidentiality and integrity.</Note>
|
||
|
|
</Notes>
|
||
|
|
<ReleaseDate>2023-02-24</ReleaseDate>
|
||
|
|
<CVE>CVE-2023-23914</CVE>
|
||
|
|
<ProductStatuses>
|
||
|
|
<Status Type="Fixed">
|
||
|
|
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
||
|
|
</Status>
|
||
|
|
</ProductStatuses>
|
||
|
|
<Threats>
|
||
|
|
<Threat Type="Impact">
|
||
|
|
<Description>Medium</Description>
|
||
|
|
</Threat>
|
||
|
|
</Threats>
|
||
|
|
<CVSSScoreSets>
|
||
|
|
<ScoreSet>
|
||
|
|
<BaseScore>4.3</BaseScore>
|
||
|
|
<Vector>AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</Vector>
|
||
|
|
</ScoreSet>
|
||
|
|
</CVSSScoreSets>
|
||
|
|
<Remediations>
|
||
|
|
<Remediation Type="Vendor Fix">
|
||
|
|
<Description>curl security update</Description>
|
||
|
|
<DATE>2023-02-24</DATE>
|
||
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1125</URL>
|
||
|
|
</Remediation>
|
||
|
|
</Remediations>
|
||
|
|
</Vulnerability>
|
||
|
|
<Vulnerability Ordinal="3" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
|
|
<Notes>
|
||
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="3" xml:lang="en">curl supports chained HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with different algorithms. The number of acceptable links in this decompression chain was capped, but the cap was implemented on a per-header basis allowing a malicious server to insert a virtually unlimited number of compression steps simply by using many headers. The use of such a decompression chain could result in a malloc bomb , making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.</Note>
|
||
|
|
</Notes>
|
||
|
|
<ReleaseDate>2023-02-24</ReleaseDate>
|
||
|
|
<CVE>CVE-2023-23916</CVE>
|
||
|
|
<ProductStatuses>
|
||
|
|
<Status Type="Fixed">
|
||
|
|
<ProductID>openEuler-22.03-LTS-SP1</ProductID>
|
||
|
|
</Status>
|
||
|
|
</ProductStatuses>
|
||
|
|
<Threats>
|
||
|
|
<Threat Type="Impact">
|
||
|
|
<Description>Medium</Description>
|
||
|
|
</Threat>
|
||
|
|
</Threats>
|
||
|
|
<CVSSScoreSets>
|
||
|
|
<ScoreSet>
|
||
|
|
<BaseScore>6.5</BaseScore>
|
||
|
|
<Vector>AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</Vector>
|
||
|
|
</ScoreSet>
|
||
|
|
</CVSSScoreSets>
|
||
|
|
<Remediations>
|
||
|
|
<Remediation Type="Vendor Fix">
|
||
|
|
<Description>curl security update</Description>
|
||
|
|
<DATE>2023-02-24</DATE>
|
||
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1125</URL>
|
||
|
|
</Remediation>
|
||
|
|
</Remediations>
|
||
|
|
</Vulnerability>
|
||
|
|
</cvrfdoc>
|