An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2023-1443 Final 1.0 1.0 2023-07-29 Initial 2023-07-29 2023-07-29 openEuler SA Tool V1.0 2023-07-29 curl security update An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols. Security Fix(es): libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, it called `stat()` followed by `fopen()` in a way that made it vulnerable to a TOCTOU race condition problem. By exploiting this flaw, an attacker could trick the victim to create or overwrite protected files holding this data in ways it was not intended to. (CVE-2023-32001) An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3,openEuler-22.03-LTS,openEuler-22.03-LTS-SP1 and openEuler-22.03-LTS-SP2. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium curl https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1443 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2023-32001 https://nvd.nist.gov/vuln/detail/CVE-2023-32001 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 curl-7.71.1-30.oe1.aarch64.rpm libcurl-devel-7.71.1-30.oe1.aarch64.rpm curl-debugsource-7.71.1-30.oe1.aarch64.rpm libcurl-7.71.1-30.oe1.aarch64.rpm curl-debuginfo-7.71.1-30.oe1.aarch64.rpm libcurl-devel-7.71.1-30.oe1.aarch64.rpm libcurl-7.71.1-30.oe1.aarch64.rpm curl-debugsource-7.71.1-30.oe1.aarch64.rpm curl-debuginfo-7.71.1-30.oe1.aarch64.rpm curl-7.71.1-30.oe1.aarch64.rpm curl-7.79.1-23.oe2203.aarch64.rpm curl-debugsource-7.79.1-23.oe2203.aarch64.rpm curl-debuginfo-7.79.1-23.oe2203.aarch64.rpm libcurl-7.79.1-23.oe2203.aarch64.rpm libcurl-devel-7.79.1-23.oe2203.aarch64.rpm curl-7.79.1-23.oe2203sp1.aarch64.rpm curl-debuginfo-7.79.1-23.oe2203sp1.aarch64.rpm libcurl-devel-7.79.1-23.oe2203sp1.aarch64.rpm curl-debugsource-7.79.1-23.oe2203sp1.aarch64.rpm libcurl-7.79.1-23.oe2203sp1.aarch64.rpm curl-debuginfo-7.79.1-23.oe2203sp2.aarch64.rpm libcurl-7.79.1-23.oe2203sp2.aarch64.rpm libcurl-devel-7.79.1-23.oe2203sp2.aarch64.rpm curl-7.79.1-23.oe2203sp2.aarch64.rpm curl-debugsource-7.79.1-23.oe2203sp2.aarch64.rpm curl-help-7.71.1-30.oe1.noarch.rpm curl-help-7.71.1-30.oe1.noarch.rpm curl-help-7.79.1-23.oe2203.noarch.rpm curl-help-7.79.1-23.oe2203sp1.noarch.rpm curl-help-7.79.1-23.oe2203sp2.noarch.rpm curl-7.71.1-30.oe1.src.rpm curl-7.71.1-30.oe1.src.rpm curl-7.79.1-23.oe2203.src.rpm curl-7.79.1-23.oe2203sp1.src.rpm curl-7.79.1-23.oe2203sp2.src.rpm curl-7.71.1-30.oe1.x86_64.rpm libcurl-devel-7.71.1-30.oe1.x86_64.rpm curl-debugsource-7.71.1-30.oe1.x86_64.rpm curl-debuginfo-7.71.1-30.oe1.x86_64.rpm libcurl-7.71.1-30.oe1.x86_64.rpm curl-debuginfo-7.71.1-30.oe1.x86_64.rpm curl-debugsource-7.71.1-30.oe1.x86_64.rpm curl-7.71.1-30.oe1.x86_64.rpm libcurl-devel-7.71.1-30.oe1.x86_64.rpm libcurl-7.71.1-30.oe1.x86_64.rpm curl-debugsource-7.79.1-23.oe2203.x86_64.rpm libcurl-7.79.1-23.oe2203.x86_64.rpm libcurl-devel-7.79.1-23.oe2203.x86_64.rpm curl-debuginfo-7.79.1-23.oe2203.x86_64.rpm curl-7.79.1-23.oe2203.x86_64.rpm libcurl-devel-7.79.1-23.oe2203sp1.x86_64.rpm curl-debugsource-7.79.1-23.oe2203sp1.x86_64.rpm curl-debuginfo-7.79.1-23.oe2203sp1.x86_64.rpm curl-7.79.1-23.oe2203sp1.x86_64.rpm libcurl-7.79.1-23.oe2203sp1.x86_64.rpm curl-debugsource-7.79.1-23.oe2203sp2.x86_64.rpm curl-7.79.1-23.oe2203sp2.x86_64.rpm libcurl-7.79.1-23.oe2203sp2.x86_64.rpm curl-debuginfo-7.79.1-23.oe2203sp2.x86_64.rpm libcurl-devel-7.79.1-23.oe2203sp2.x86_64.rpm libcurl can be told to save cookie, HSTS and/or alt-svc data to files. When doing this, it called `stat()` followed by `fopen()` in a way that made it vulnerable to a TOCTOU race condition problem. By exploiting this flaw, an attacker could trick the victim to create or overwrite protected files holding this data in ways it was not intended to. 2023-07-29 CVE-2023-32001 openEuler-20.03-LTS-SP1 openEuler-20.03-LTS-SP3 openEuler-22.03-LTS openEuler-22.03-LTS-SP1 openEuler-22.03-LTS-SP2 Medium 5.5 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L curl security update 2023-07-29 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1443