Описание
Security update for curl
This update for curl fixes the following issues:
- CVE-2020-8284: Fixed an issue where a malicious FTP server could make curl connect to a different IP (bsc#1179398).
- CVE-2020-8285: Fixed an FTP wildcard stack overflow (bsc#1179399).
Список пакетов
SUSE Linux Enterprise Server 11-SECURITY
curl-openssl1-7.37.0-70.57.1
libcurl4-openssl1-7.37.0-70.57.1
libcurl4-openssl1-32bit-7.37.0-70.57.1
libcurl4-openssl1-x86-7.37.0-70.57.1
Ссылки
- Link for SUSE-SU-2020:14585-1
- E-Mail link for SUSE-SU-2020:14585-1
- SUSE Security Ratings
- SUSE Bug 1179398
- SUSE Bug 1179399
- SUSE CVE CVE-2020-8284 page
- SUSE CVE CVE-2020-8285 page
Описание
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
Затронутые продукты
SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1
SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1
SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1
SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-x86-7.37.0-70.57.1
Ссылки
- CVE-2020-8284
- SUSE Bug 1179398
- SUSE Bug 1179399
- SUSE Bug 1186108
Описание
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
Затронутые продукты
SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.57.1
SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.57.1
SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.57.1
SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-x86-7.37.0-70.57.1
Ссылки
- CVE-2020-8285
- SUSE Bug 1179399
- SUSE Bug 1186108