Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

rocky логотип

RLSA-2023:1140

Опубликовано: 08 мар. 2023
Источник: rocky
Оценка: Moderate

Описание

Moderate: curl security update

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

  • curl: HTTP multi-header compression denial of service (CVE-2023-23916)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Затронутые продукты

  • Rocky Linux 8

НаименованиеАрхитектураРелизRPM
curlx86_6425.el8_7.3curl-7.61.1-25.el8_7.3.x86_64.rpm
libcurlx86_6425.el8_7.3libcurl-7.61.1-25.el8_7.3.x86_64.rpm
libcurl-develx86_6425.el8_7.3libcurl-devel-7.61.1-25.el8_7.3.x86_64.rpm
libcurl-minimalx86_6425.el8_7.3libcurl-minimal-7.61.1-25.el8_7.3.x86_64.rpm

Показывать по

Связанные CVE

CVE-2023-23916

Ссылки на источники

Исправления

Связанные уязвимости

ubuntu логотип

CVE-2023-23916

CVSS3: 6.5
ubuntu
больше 2 лет назад

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

redhat логотип

CVE-2023-23916

CVSS3: 6.5
redhat
больше 2 лет назад

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

nvd логотип

CVE-2023-23916

CVSS3: 6.5
nvd
больше 2 лет назад

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

msrc логотип

CVE-2023-23916

CVSS3: 6.5
msrc
больше 2 лет назад

Описание отсутствует

debian логотип

CVE-2023-23916

CVSS3: 6.5
debian
больше 2 лет назад

An allocation of resources without limits or throttling vulnerability ...