248 lines
15 KiB
XML
248 lines
15 KiB
XML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
|
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
||
|
|
<DocumentTitle xml:lang="en">An update for curl is now available for openEuler-20.03-LTS-SP3</DocumentTitle>
|
||
|
|
<DocumentType>Security Advisory</DocumentType>
|
||
|
|
<DocumentPublisher Type="Vendor">
|
||
|
|
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
||
|
|
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
||
|
|
</DocumentPublisher>
|
||
|
|
<DocumentTracking>
|
||
|
|
<Identification>
|
||
|
|
<ID>openEuler-SA-2023-1195</ID>
|
||
|
|
</Identification>
|
||
|
|
<Status>Final</Status>
|
||
|
|
<Version>1.0</Version>
|
||
|
|
<RevisionHistory>
|
||
|
|
<Revision>
|
||
|
|
<Number>1.0</Number>
|
||
|
|
<Date>2023-03-31</Date>
|
||
|
|
<Description>Initial</Description>
|
||
|
|
</Revision>
|
||
|
|
</RevisionHistory>
|
||
|
|
<InitialReleaseDate>2023-03-31</InitialReleaseDate>
|
||
|
|
<CurrentReleaseDate>2023-03-31</CurrentReleaseDate>
|
||
|
|
<Generator>
|
||
|
|
<Engine>openEuler SA Tool V1.0</Engine>
|
||
|
|
<Date>2023-03-31</Date>
|
||
|
|
</Generator>
|
||
|
|
</DocumentTracking>
|
||
|
|
<DocumentNotes>
|
||
|
|
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">curl security update</Note>
|
||
|
|
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for curl is now available for openEuler-20.03-LTS-SP3.</Note>
|
||
|
|
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.
|
||
|
|
|
||
|
|
Security Fix(es):
|
||
|
|
|
||
|
|
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily. The settings in questions are `CURLOPT_FTP_ACCOUNT`, `CURLOPT_FTP_ALTERNATIVE_TO_USER`, `CURLOPT_FTP_SSL_CCC` and `CURLOPT_USE_SSL` level.(CVE-2023-27535)
|
||
|
|
|
||
|
|
libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily.(CVE-2023-27538)
|
||
|
|
|
||
|
|
libcurl would reuse a previously created connection even when the GSS delegation (`CURLOPT_GSSAPI_DELEGATION`) option had been changed that could have changed the user's permissions in a second transfer. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, this GSS delegation setting was left out from the configuration match checks, making them match too easily, affecting krb5/kerberos/negotiate/GSSAPI transfers.(CVE-2023-27536)
|
||
|
|
|
||
|
|
curl supports communicating using the TELNET protocol and as a part of this it offers users to pass on user name and "telnet options" for the server
|
||
|
|
negotiation. Due to lack of proper input scrubbing and without it being the documented functionality, curl would pass on user name and telnet options to the server as provided. This could allow users to pass in carefully crafted content that pass on content or do option negotiation without the application intending to do so. In particular if an application for example allows users to provide the data or parts of the data.(CVE-2023-27533)
|
||
|
|
|
||
|
|
curl supports SFTP transfers. curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (`~`) character as the first
|
||
|
|
path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the [once proposed
|
||
|
|
to-become RFC draft](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-scp-sftp-ssh-uri-04) that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element. Using a path like `/~2/foo` when accessing a server using the user `dan` (with home directory `/home/dan`) would then quite suprisingly access the file `/home/dan2/foo`. This can be taken advantage of to circumvent filtering or worse.(CVE-2023-27534)</Note>
|
||
|
|
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for curl is now available for openEuler-20.03-LTS-SP3.
|
||
|
|
|
||
|
|
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
||
|
|
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Medium</Note>
|
||
|
|
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">curl</Note>
|
||
|
|
</DocumentNotes>
|
||
|
|
<DocumentReferences>
|
||
|
|
<Reference Type="Self">
|
||
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1195</URL>
|
||
|
|
</Reference>
|
||
|
|
<Reference Type="openEuler CVE">
|
||
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-27535</URL>
|
||
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-27538</URL>
|
||
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-27536</URL>
|
||
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-27533</URL>
|
||
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-27534</URL>
|
||
|
|
</Reference>
|
||
|
|
<Reference Type="Other">
|
||
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-27535</URL>
|
||
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-27538</URL>
|
||
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-27536</URL>
|
||
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-27533</URL>
|
||
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2023-27534</URL>
|
||
|
|
</Reference>
|
||
|
|
</DocumentReferences>
|
||
|
|
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
||
|
|
<Branch Type="Product Name" Name="openEuler">
|
||
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
<Branch Type="Package Arch" Name="aarch64">
|
||
|
|
<FullProductName ProductID="libcurl-devel-7.71.1-24" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libcurl-devel-7.71.1-24.oe1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="libcurl-7.71.1-24" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libcurl-7.71.1-24.oe1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="curl-debugsource-7.71.1-24" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-debugsource-7.71.1-24.oe1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="curl-debuginfo-7.71.1-24" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-debuginfo-7.71.1-24.oe1.aarch64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="curl-7.71.1-24" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-7.71.1-24.oe1.aarch64.rpm</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
<Branch Type="Package Arch" Name="noarch">
|
||
|
|
<FullProductName ProductID="curl-help-7.71.1-24" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-help-7.71.1-24.oe1.noarch.rpm</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
<Branch Type="Package Arch" Name="src">
|
||
|
|
<FullProductName ProductID="curl-7.71.1-24" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-7.71.1-24.oe1.src.rpm</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
<Branch Type="Package Arch" Name="x86_64">
|
||
|
|
<FullProductName ProductID="curl-debugsource-7.71.1-24" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-debugsource-7.71.1-24.oe1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="curl-debuginfo-7.71.1-24" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-debuginfo-7.71.1-24.oe1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="libcurl-7.71.1-24" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libcurl-7.71.1-24.oe1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="curl-7.71.1-24" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-7.71.1-24.oe1.x86_64.rpm</FullProductName>
|
||
|
|
<FullProductName ProductID="libcurl-devel-7.71.1-24" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libcurl-devel-7.71.1-24.oe1.x86_64.rpm</FullProductName>
|
||
|
|
</Branch>
|
||
|
|
</ProductTree>
|
||
|
|
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
|
|
<Notes>
|
||
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.</Note>
|
||
|
|
</Notes>
|
||
|
|
<ReleaseDate>2023-03-31</ReleaseDate>
|
||
|
|
<CVE>CVE-2023-27535</CVE>
|
||
|
|
<ProductStatuses>
|
||
|
|
<Status Type="Fixed">
|
||
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
||
|
|
</Status>
|
||
|
|
</ProductStatuses>
|
||
|
|
<Threats>
|
||
|
|
<Threat Type="Impact">
|
||
|
|
<Description>Medium</Description>
|
||
|
|
</Threat>
|
||
|
|
</Threats>
|
||
|
|
<CVSSScoreSets>
|
||
|
|
<ScoreSet>
|
||
|
|
<BaseScore>5.8</BaseScore>
|
||
|
|
<Vector>AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H</Vector>
|
||
|
|
</ScoreSet>
|
||
|
|
</CVSSScoreSets>
|
||
|
|
<Remediations>
|
||
|
|
<Remediation Type="Vendor Fix">
|
||
|
|
<Description>curl security update</Description>
|
||
|
|
<DATE>2023-03-31</DATE>
|
||
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1195</URL>
|
||
|
|
</Remediation>
|
||
|
|
</Remediations>
|
||
|
|
</Vulnerability>
|
||
|
|
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
|
|
<Notes>
|
||
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">An authentication bypass vulnerability exists in libcurl v8.0.0 where it reuses a previously established SSH connection despite the fact that an SSH option was modified, which should have prevented reuse. libcurl maintains a pool of previously used connections to reuse them for subsequent transfers if the configurations match. However, two SSH settings were omitted from the configuration check, allowing them to match easily, potentially leading to the reuse of an inappropriate connection.</Note>
|
||
|
|
</Notes>
|
||
|
|
<ReleaseDate>2023-03-31</ReleaseDate>
|
||
|
|
<CVE>CVE-2023-27538</CVE>
|
||
|
|
<ProductStatuses>
|
||
|
|
<Status Type="Fixed">
|
||
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
||
|
|
</Status>
|
||
|
|
</ProductStatuses>
|
||
|
|
<Threats>
|
||
|
|
<Threat Type="Impact">
|
||
|
|
<Description>Medium</Description>
|
||
|
|
</Threat>
|
||
|
|
</Threats>
|
||
|
|
<CVSSScoreSets>
|
||
|
|
<ScoreSet>
|
||
|
|
<BaseScore>5.8</BaseScore>
|
||
|
|
<Vector>AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H</Vector>
|
||
|
|
</ScoreSet>
|
||
|
|
</CVSSScoreSets>
|
||
|
|
<Remediations>
|
||
|
|
<Remediation Type="Vendor Fix">
|
||
|
|
<Description>curl security update</Description>
|
||
|
|
<DATE>2023-03-31</DATE>
|
||
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1195</URL>
|
||
|
|
</Remediation>
|
||
|
|
</Remediations>
|
||
|
|
</Vulnerability>
|
||
|
|
<Vulnerability Ordinal="3" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
|
|
<Notes>
|
||
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="3" xml:lang="en">An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.</Note>
|
||
|
|
</Notes>
|
||
|
|
<ReleaseDate>2023-03-31</ReleaseDate>
|
||
|
|
<CVE>CVE-2023-27536</CVE>
|
||
|
|
<ProductStatuses>
|
||
|
|
<Status Type="Fixed">
|
||
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
||
|
|
</Status>
|
||
|
|
</ProductStatuses>
|
||
|
|
<Threats>
|
||
|
|
<Threat Type="Impact">
|
||
|
|
<Description>Medium</Description>
|
||
|
|
</Threat>
|
||
|
|
</Threats>
|
||
|
|
<CVSSScoreSets>
|
||
|
|
<ScoreSet>
|
||
|
|
<BaseScore>5.8</BaseScore>
|
||
|
|
<Vector>AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H</Vector>
|
||
|
|
</ScoreSet>
|
||
|
|
</CVSSScoreSets>
|
||
|
|
<Remediations>
|
||
|
|
<Remediation Type="Vendor Fix">
|
||
|
|
<Description>curl security update</Description>
|
||
|
|
<DATE>2023-03-31</DATE>
|
||
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1195</URL>
|
||
|
|
</Remediation>
|
||
|
|
</Remediations>
|
||
|
|
</Vulnerability>
|
||
|
|
<Vulnerability Ordinal="4" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
|
|
<Notes>
|
||
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="4" xml:lang="en">A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an attacker to pass on maliciously crafted user name and "telnet options" during server negotiation. The lack of proper input scrubbing allows an attacker to send content or perform option negotiation without the application's intent. This vulnerability could be exploited if an application allows user input, thereby enabling attackers to execute arbitrary code on the system.</Note>
|
||
|
|
</Notes>
|
||
|
|
<ReleaseDate>2023-03-31</ReleaseDate>
|
||
|
|
<CVE>CVE-2023-27533</CVE>
|
||
|
|
<ProductStatuses>
|
||
|
|
<Status Type="Fixed">
|
||
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
||
|
|
</Status>
|
||
|
|
</ProductStatuses>
|
||
|
|
<Threats>
|
||
|
|
<Threat Type="Impact">
|
||
|
|
<Description>Medium</Description>
|
||
|
|
</Threat>
|
||
|
|
</Threats>
|
||
|
|
<CVSSScoreSets>
|
||
|
|
<ScoreSet>
|
||
|
|
<BaseScore>4.5</BaseScore>
|
||
|
|
<Vector>AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L</Vector>
|
||
|
|
</ScoreSet>
|
||
|
|
</CVSSScoreSets>
|
||
|
|
<Remediations>
|
||
|
|
<Remediation Type="Vendor Fix">
|
||
|
|
<Description>curl security update</Description>
|
||
|
|
<DATE>2023-03-31</DATE>
|
||
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1195</URL>
|
||
|
|
</Remediation>
|
||
|
|
</Remediations>
|
||
|
|
</Vulnerability>
|
||
|
|
<Vulnerability Ordinal="5" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
||
|
|
<Notes>
|
||
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="5" xml:lang="en">A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a server with a specific user.</Note>
|
||
|
|
</Notes>
|
||
|
|
<ReleaseDate>2023-03-31</ReleaseDate>
|
||
|
|
<CVE>CVE-2023-27534</CVE>
|
||
|
|
<ProductStatuses>
|
||
|
|
<Status Type="Fixed">
|
||
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
||
|
|
</Status>
|
||
|
|
</ProductStatuses>
|
||
|
|
<Threats>
|
||
|
|
<Threat Type="Impact">
|
||
|
|
<Description>Medium</Description>
|
||
|
|
</Threat>
|
||
|
|
</Threats>
|
||
|
|
<CVSSScoreSets>
|
||
|
|
<ScoreSet>
|
||
|
|
<BaseScore>4.5</BaseScore>
|
||
|
|
<Vector>AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L</Vector>
|
||
|
|
</ScoreSet>
|
||
|
|
</CVSSScoreSets>
|
||
|
|
<Remediations>
|
||
|
|
<Remediation Type="Vendor Fix">
|
||
|
|
<Description>curl security update</Description>
|
||
|
|
<DATE>2023-03-31</DATE>
|
||
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1195</URL>
|
||
|
|
</Remediation>
|
||
|
|
</Remediations>
|
||
|
|
</Vulnerability>
|
||
|
|
</cvrfdoc>
|