jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0b34274085
cvrf2cusa/cvrf/2022/cvrf-openEuler-SA-2022-1506.xml
Jia Chao 0b34274085 git mv 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 09:57:37 +08:00

173 lines
13 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2022-1506</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2022-01-28</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2022-01-28</InitialReleaseDate>
<CurrentReleaseDate>2022-01-28</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2022-01-28</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">curl security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Curl is used in command lines or scripts to transfer data.
Security Fix(es):
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user&apos;s expectations and intentions and without telling the user it happened.(CVE-2021-22923)
When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.(CVE-2021-22922)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP2 and openEuler-20.03-LTS-SP3.
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Medium</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">curl</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1506</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-22923</URL>
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-22922</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-22923</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2021-22922</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
<FullProductName ProductID="openEuler-20.03-LTS-SP2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">openEuler-20.03-LTS-SP2</FullProductName>
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="aarch64">
<FullProductName ProductID="curl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="curl-debuginfo-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-debuginfo-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libcurl-devel-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libcurl-devel-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="curl-debugsource-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-debugsource-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libcurl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libcurl-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="curl-debuginfo-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">curl-debuginfo-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="curl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">curl-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libcurl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libcurl-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libcurl-devel-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libcurl-devel-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="curl-debugsource-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">curl-debugsource-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libcurl-devel-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libcurl-devel-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="curl-debuginfo-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-debuginfo-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="curl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="curl-debugsource-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-debugsource-7.71.1-12.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="libcurl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libcurl-7.71.1-12.oe1.aarch64.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="noarch">
<FullProductName ProductID="curl-help-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-help-7.71.1-12.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="curl-help-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">curl-help-7.71.1-12.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="curl-help-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-help-7.71.1-12.oe1.noarch.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="curl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-7.71.1-12.oe1.src.rpm</FullProductName>
<FullProductName ProductID="curl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">curl-7.71.1-12.oe1.src.rpm</FullProductName>
<FullProductName ProductID="curl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-7.71.1-12.oe1.src.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="x86_64">
<FullProductName ProductID="libcurl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libcurl-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="curl-debuginfo-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-debuginfo-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="curl-debugsource-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-debugsource-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libcurl-devel-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libcurl-devel-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="curl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libcurl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libcurl-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="curl-debuginfo-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">curl-debuginfo-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="curl-debugsource-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">curl-debugsource-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libcurl-devel-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">libcurl-devel-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="curl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP2">curl-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="curl-debuginfo-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-debuginfo-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libcurl-devel-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libcurl-devel-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="curl-debugsource-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-debugsource-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="curl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-7.71.1-12.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="libcurl-7.71.1-12" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libcurl-7.71.1-12.oe1.x86_64.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user s expectations and intentions and without telling the user it happened.</Note>
</Notes>
<ReleaseDate>2022-01-28</ReleaseDate>
<CVE>CVE-2021-22923</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Medium</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>5.3</BaseScore>
<Vector>AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>curl security update</Description>
<DATE>2022-01-28</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1506</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.</Note>
</Notes>
<ReleaseDate>2022-01-28</ReleaseDate>
<CVE>CVE-2021-22922</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
<ProductID>openEuler-20.03-LTS-SP2</ProductID>
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>Medium</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>5.7</BaseScore>
<Vector>AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>curl security update</Description>
<DATE>2022-01-28</DATE>
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1506</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink