ELSA-2017-2016

Опубликовано: 07 авг. 2017

Источник: oracle-oval

Платформа: Oracle Linux 7

Описание

ELSA-2017-2016: curl security, bug fix, and enhancement update (MODERATE)

[7.29.0-42]

fix use of uninitialized variable detected by Covscan

[7.29.0-41]

make FTPS work with --proxytunnel (#1420327)

[7.29.0-40]

make FTPS work with --proxytunnel (#1420327)

[7.29.0-39]

work around race condition in PK11_FindSlotByName() in NSS (#1404815)

[7.29.0-38]

make FTPS work with --proxytunnel (#1420327)

[7.29.0-37]

fix tight loop in non-blocking TLS handhsake over proxy (#1388162)
handle cookies with numerical IPv6 address (#1341503)
make libcurl recognize chacha20-poly1305 and SHA384 cipher-suites (#1374740)
curl -E: allow to escape ':' in cert nickname (#1376062)
run automake in %prep to avoid patching Makefile.in files from now on

[7.29.0-36]

reject negative string lengths in curl_easy_[un]escape() (CVE-2016-7167)

Обновленные пакеты

Oracle Linux 7

Oracle Linux aarch64

curl

7.29.0-42.el7

libcurl

7.29.0-42.el7

libcurl-devel

7.29.0-42.el7

Oracle Linux x86_64

curl

7.29.0-42.el7

libcurl

7.29.0-42.el7

libcurl-devel

7.29.0-42.el7

Связанные CVE

CVE-2016-7167

Ссылки на источники

Связанные уязвимости

CVE-2016-7167

CVSS3: 9.8

ubuntu

около 9 лет назад

Multiple integer overflows in the (1) curl_escape, (2) curl_easy_escape, (3) curl_unescape, and (4) curl_easy_unescape functions in libcurl before 7.50.3 allow attackers to have unspecified impact via a string of length 0xffffffff, which triggers a heap-based buffer overflow.