Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

oracle-oval логотип

ELSA-2023-1701

Опубликовано: 11 апр. 2023
Источник: oracle-oval
Платформа: Oracle Linux 9

Описание

ELSA-2023-1701: curl security update (MODERATE)

[7.76.1-19.el9_1.2]

  • fix HTTP multi-header compression denial of service (CVE-2023-23916)

Обновленные пакеты

Oracle Linux 9

Oracle Linux aarch64

curl

7.76.1-19.el9_1.2

curl-minimal

7.76.1-19.el9_1.2

libcurl

7.76.1-19.el9_1.2

libcurl-devel

7.76.1-19.el9_1.2

libcurl-minimal

7.76.1-19.el9_1.2

Oracle Linux x86_64

curl

7.76.1-19.el9_1.2

curl-minimal

7.76.1-19.el9_1.2

libcurl

7.76.1-19.el9_1.2

libcurl-devel

7.76.1-19.el9_1.2

libcurl-minimal

7.76.1-19.el9_1.2

Связанные CVE

Связанные уязвимости

CVSS3: 6.5
ubuntu
больше 2 лет назад

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

CVSS3: 6.5
redhat
больше 2 лет назад

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

CVSS3: 6.5
nvd
больше 2 лет назад

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

CVSS3: 6.5
msrc
больше 2 лет назад

Описание отсутствует

CVSS3: 6.5
debian
больше 2 лет назад

An allocation of resources without limits or throttling vulnerability ...