Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

oracle-oval логотип

ELSA-2023-1140

Опубликовано: 07 мар. 2023
Источник: oracle-oval
Платформа: Oracle Linux 8

Описание

ELSA-2023-1140: curl security update (MODERATE)

[7.61.1-25.el8_7.3]

  • fix HTTP multi-header compression denial of service (CVE-2023-23916)

Обновленные пакеты

Oracle Linux 8

Oracle Linux aarch64

curl

7.61.1-25.el8_7.3

libcurl

7.61.1-25.el8_7.3

libcurl-devel

7.61.1-25.el8_7.3

libcurl-minimal

7.61.1-25.el8_7.3

Oracle Linux x86_64

curl

7.61.1-25.el8_7.3

libcurl

7.61.1-25.el8_7.3

libcurl-devel

7.61.1-25.el8_7.3

libcurl-minimal

7.61.1-25.el8_7.3

Связанные CVE

Связанные уязвимости

CVSS3: 6.5
ubuntu
больше 2 лет назад

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

CVSS3: 6.5
redhat
больше 2 лет назад

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

CVSS3: 6.5
nvd
больше 2 лет назад

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

CVSS3: 6.5
msrc
больше 2 лет назад

Описание отсутствует

CVSS3: 6.5
debian
больше 2 лет назад

An allocation of resources without limits or throttling vulnerability ...