Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

oracle-oval логотип

ELSA-2021-4511

Опубликовано: 16 нояб. 2021
Источник: oracle-oval
Платформа: Oracle Linux 8

Описание

ELSA-2021-4511: curl security and bug fix update (MODERATE)

[7.61.1-22]

  • fix STARTTLS protocol injection via MITM (CVE-2021-22947)
  • fix protocol downgrade required TLS bypass (CVE-2021-22946)

[7.61.1-21]

  • fix TELNET stack contents disclosure again (CVE-2021-22925)
  • fix TELNET stack contents disclosure (CVE-2021-22898)
  • fix bad connection reuse due to flawed path name checks (CVE-2021-22924)
  • disable metalink support to fix the following vulnerabilities CVE-2021-22923 - metalink download sends credentials CVE-2021-22922 - wrong content via metalink not discarded

[7.61.1-20]

  • fix a cppchecks false positive in 0029-curl-7.61.1-CVE-2021-22876.patch

[7.61.1-19]

  • make curl --head file:// work as expected (#1947493)
  • prevent automatic referer from leaking credentials (CVE-2021-22876)

Обновленные пакеты

Oracle Linux 8

Oracle Linux aarch64

curl

7.61.1-22.el8

libcurl

7.61.1-22.el8

libcurl-devel

7.61.1-22.el8

libcurl-minimal

7.61.1-22.el8

Oracle Linux x86_64

curl

7.61.1-22.el8

libcurl

7.61.1-22.el8

libcurl-devel

7.61.1-22.el8

libcurl-minimal

7.61.1-22.el8

Связанные CVE

CVE-2021-22876
CVE-2021-22925
CVE-2021-22898

Ссылки на источники

Связанные уязвимости

suse-cvrf логотип

SUSE-SU-2021:1809-1

suse-cvrf
около 4 лет назад

Security update for curl

suse-cvrf логотип

SUSE-SU-2021:1786-1

suse-cvrf
около 4 лет назад

Security update for curl

ubuntu логотип

CVE-2021-22876

CVSS3: 5.3
ubuntu
около 4 лет назад

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

redhat логотип

CVE-2021-22876

CVSS3: 3.7
redhat
около 4 лет назад

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

nvd логотип

CVE-2021-22876

CVSS3: 5.3
nvd
около 4 лет назад

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.