246 lines
17 KiB
XML
246 lines
17 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
|
|
<DocumentTitle xml:lang="en">An update for curl is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS</DocumentTitle>
|
|
<DocumentType>Security Advisory</DocumentType>
|
|
<DocumentPublisher Type="Vendor">
|
|
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
|
|
<IssuingAuthority>openEuler security committee</IssuingAuthority>
|
|
</DocumentPublisher>
|
|
<DocumentTracking>
|
|
<Identification>
|
|
<ID>openEuler-SA-2022-1659</ID>
|
|
</Identification>
|
|
<Status>Final</Status>
|
|
<Version>1.0</Version>
|
|
<RevisionHistory>
|
|
<Revision>
|
|
<Number>1.0</Number>
|
|
<Date>2022-05-18</Date>
|
|
<Description>Initial</Description>
|
|
</Revision>
|
|
</RevisionHistory>
|
|
<InitialReleaseDate>2022-05-18</InitialReleaseDate>
|
|
<CurrentReleaseDate>2022-05-18</CurrentReleaseDate>
|
|
<Generator>
|
|
<Engine>openEuler SA Tool V1.0</Engine>
|
|
<Date>2022-05-18</Date>
|
|
</Generator>
|
|
</DocumentTracking>
|
|
<DocumentNotes>
|
|
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">curl security update</Note>
|
|
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for curl is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.</Note>
|
|
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.
|
|
|
|
Security Fix(es):
|
|
|
|
This security flaw in curl allows to reuse an OAUTH2 authenticated connection without properly ensuring that the connection is authenticated with the same credentials set by this transport, this issue can lead to authentication bypasses, either by mistake or by malicious actors.(CVE-2022-22576)
|
|
|
|
When asked, curl does an HTTP(S) redirect. curl also supports authentication. When providing a user and password for a URL with a given hostname, curl makes an effort not to pass these credentials to other hosts in redirects unless permissions with special options are granted. This "same host check" has been flawed since its introduction. It does not work with cross-protocol redirection, nor does it treat different port numbers as separate hosts. This results in leaking credentials to other servers when curl redirects from authentication protected HTTP(S) URLs to other protocols and port numbers. It could also leak TLS SRP credentials in this way. By default, curl only allows redirects to HTTP(S) and FTP(S), but you can ask to allow redirects to all curl-supported protocols.(CVE-2022-27774)
|
|
|
|
This issue with curl occurs due to a logical bug where the configuration matching function does not take into account the IPv6 address zone id, which can cause curl to reuse the wrong connection when one transfer uses the zone id and subsequent transfers use another.(CVE-2022-27775)
|
|
|
|
This security flaw in curl allows leaking authentication or cookie header data over HTTP to redirect to the same host but a different port number, for applications passing custom Authorization: or Cookie: headers to the same set of headers Sending to servers on different port numbers is a problem, and these headers often contain privacy-sensitive information or data.(CVE-2022-27776)</Note>
|
|
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for curl is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.
|
|
|
|
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
|
|
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">Medium</Note>
|
|
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">curl</Note>
|
|
</DocumentNotes>
|
|
<DocumentReferences>
|
|
<Reference Type="Self">
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1659</URL>
|
|
</Reference>
|
|
<Reference Type="openEuler CVE">
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-22576</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-27774</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-27775</URL>
|
|
<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-27776</URL>
|
|
</Reference>
|
|
<Reference Type="Other">
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-22576</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-27774</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-27775</URL>
|
|
<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-27776</URL>
|
|
</Reference>
|
|
</DocumentReferences>
|
|
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
|
|
<Branch Type="Product Name" Name="openEuler">
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
|
|
<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
|
|
<FullProductName ProductID="openEuler-22.03-LTS" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">openEuler-22.03-LTS</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="aarch64">
|
|
<FullProductName ProductID="curl-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-7.71.1-13.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-debuginfo-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-debuginfo-7.71.1-13.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-debugsource-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-debugsource-7.71.1-13.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="libcurl-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libcurl-7.71.1-13.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="libcurl-devel-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libcurl-devel-7.71.1-13.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-7.71.1-13.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-debuginfo-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-debuginfo-7.71.1-13.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-debugsource-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-debugsource-7.71.1-13.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="libcurl-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libcurl-7.71.1-13.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="libcurl-devel-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libcurl-devel-7.71.1-13.oe1.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-7.79.1-4" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">curl-7.79.1-4.oe2203.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-debuginfo-7.79.1-4" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">curl-debuginfo-7.79.1-4.oe2203.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-debugsource-7.79.1-4" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">curl-debugsource-7.79.1-4.oe2203.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="libcurl-7.79.1-4" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libcurl-7.79.1-4.oe2203.aarch64.rpm</FullProductName>
|
|
<FullProductName ProductID="libcurl-devel-7.79.1-4" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libcurl-devel-7.79.1-4.oe2203.aarch64.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="src">
|
|
<FullProductName ProductID="curl-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-7.71.1-13.oe1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-7.71.1-13.oe1.src.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-7.79.1-4" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">curl-7.79.1-4.oe2203.src.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="noarch">
|
|
<FullProductName ProductID="curl-help-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-help-7.71.1-13.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-help-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-help-7.71.1-13.oe1.noarch.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-help-7.79.1-4" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">curl-help-7.79.1-4.oe2203.noarch.rpm</FullProductName>
|
|
</Branch>
|
|
<Branch Type="Package Arch" Name="x86_64">
|
|
<FullProductName ProductID="curl-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-7.71.1-13.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-debuginfo-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-debuginfo-7.71.1-13.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-debugsource-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">curl-debugsource-7.71.1-13.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="libcurl-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libcurl-7.71.1-13.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="libcurl-devel-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libcurl-devel-7.71.1-13.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-7.71.1-13.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-debuginfo-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-debuginfo-7.71.1-13.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-debugsource-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">curl-debugsource-7.71.1-13.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="libcurl-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libcurl-7.71.1-13.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="libcurl-devel-7.71.1-13" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">libcurl-devel-7.71.1-13.oe1.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-7.79.1-4" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">curl-7.79.1-4.oe2203.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-debuginfo-7.79.1-4" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">curl-debuginfo-7.79.1-4.oe2203.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="curl-debugsource-7.79.1-4" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">curl-debugsource-7.79.1-4.oe2203.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="libcurl-7.79.1-4" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libcurl-7.79.1-4.oe2203.x86_64.rpm</FullProductName>
|
|
<FullProductName ProductID="libcurl-devel-7.79.1-4" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">libcurl-devel-7.79.1-4.oe2203.x86_64.rpm</FullProductName>
|
|
|
|
</Branch>
|
|
</ProductTree>
|
|
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">This security flaw in curl allows to reuse an OAUTH2 authenticated connection without properly ensuring that the connection is authenticated with the same credentials set by this transport, this issue can lead to authentication bypasses, either by mistake or by malicious actors.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-05-18</ReleaseDate>
|
|
<CVE>CVE-2022-22576</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
<ProductID>openEuler-22.03-LTS</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Low</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>4.6</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>curl security update</Description>
|
|
<DATE>2022-05-18</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1659</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">When asked, curl does an HTTP(S) redirect. curl also supports authentication. When providing a user and password for a URL with a given hostname, curl makes an effort not to pass these credentials to other hosts in redirects unless permissions with special options are granted. This "same host check" has been flawed since its introduction. It does not work with cross-protocol redirection, nor does it treat different port numbers as separate hosts. This results in leaking credentials to other servers when curl redirects from authentication protected HTTP(S) URLs to other protocols and port numbers. It could also leak TLS SRP credentials in this way. By default, curl only allows redirects to HTTP(S) and FTP(S), but you can ask to allow redirects to all curl-supported protocols.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-05-18</ReleaseDate>
|
|
<CVE>CVE-2022-27774</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
<ProductID>openEuler-22.03-LTS</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Medium</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>5.0</BaseScore>
|
|
<Vector>AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>curl security update</Description>
|
|
<DATE>2022-05-18</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1659</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="3" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="3" xml:lang="en">This issue with curl occurs due to a logical bug where the configuration matching function does not take into account the IPv6 address zone id, which can cause curl to reuse the wrong connection when one transfer uses the zone id and subsequent transfers use another.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-05-18</ReleaseDate>
|
|
<CVE>CVE-2022-27775</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
<ProductID>openEuler-22.03-LTS</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Low</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>2.6</BaseScore>
|
|
<Vector>AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>curl security update</Description>
|
|
<DATE>2022-05-18</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1659</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
<Vulnerability Ordinal="4" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
|
|
<Notes>
|
|
<Note Title="Vulnerability Description" Type="General" Ordinal="4" xml:lang="en">This security flaw in curl allows leaking authentication or cookie header data over HTTP to redirect to the same host but a different port number, for applications passing custom Authorization: or Cookie: headers to the same set of headers Sending to servers on different port numbers is a problem, and these headers often contain privacy-sensitive information or data.</Note>
|
|
</Notes>
|
|
<ReleaseDate>2022-05-18</ReleaseDate>
|
|
<CVE>CVE-2022-27776</CVE>
|
|
<ProductStatuses>
|
|
<Status Type="Fixed">
|
|
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
|
|
<ProductID>openEuler-20.03-LTS-SP3</ProductID>
|
|
<ProductID>openEuler-22.03-LTS</ProductID>
|
|
</Status>
|
|
</ProductStatuses>
|
|
<Threats>
|
|
<Threat Type="Impact">
|
|
<Description>Low</Description>
|
|
</Threat>
|
|
</Threats>
|
|
<CVSSScoreSets>
|
|
<ScoreSet>
|
|
<BaseScore>4.3</BaseScore>
|
|
<Vector>AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N</Vector>
|
|
</ScoreSet>
|
|
</CVSSScoreSets>
|
|
<Remediations>
|
|
<Remediation Type="Vendor Fix">
|
|
<Description>curl security update</Description>
|
|
<DATE>2022-05-18</DATE>
|
|
<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1659</URL>
|
|
</Remediation>
|
|
</Remediations>
|
|
</Vulnerability>
|
|
</cvrfdoc> |