Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

rocky логотип

RLSA-2024:1601

Опубликовано: 05 апр. 2024
Источник: rocky
Оценка: Moderate

Описание

Moderate: curl security and bug fix update

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

  • curl: information disclosure by exploiting a mixed case flaw (CVE-2023-46218)

  • curl: more POST-after-PUT confusion (CVE-2023-28322)

  • curl: cookie injection with none file (CVE-2023-38546)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

  • libssh (curl sftp) not trying password auth (BZ#2240033)

  • libssh: cap SFTP packet size sent (Rocky Linux-5485)

Затронутые продукты

  • Rocky Linux 8

НаименованиеАрхитектураРелизRPM
curlx86_6433.el8_9.5curl-7.61.1-33.el8_9.5.x86_64.rpm
libcurlx86_6433.el8_9.5libcurl-7.61.1-33.el8_9.5.x86_64.rpm
libcurl-develx86_6433.el8_9.5libcurl-devel-7.61.1-33.el8_9.5.x86_64.rpm
libcurl-minimalx86_6433.el8_9.5libcurl-minimal-7.61.1-33.el8_9.5.x86_64.rpm

Показывать по

Связанные CVE

CVE-2023-28322
CVE-2023-38546
CVE-2023-46218

Ссылки на источники

Исправления

Связанные уязвимости

oracle-oval логотип

ELSA-2024-1601

oracle-oval
около 1 года назад

ELSA-2024-1601: curl security and bug fix update (MODERATE)

suse-cvrf логотип

SUSE-SU-2023:4650-1

suse-cvrf
больше 1 года назад

Security update for curl

ubuntu логотип

CVE-2023-28322

CVSS3: 3.7
ubuntu
около 2 лет назад

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

redhat логотип

CVE-2023-28322

CVSS3: 3.7
redhat
около 2 лет назад

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

nvd логотип

CVE-2023-28322

CVSS3: 3.7
nvd
около 2 лет назад

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.