Описание
Security update for curl
This update for curl fixes the following issues:
- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).
Список пакетов
Container suse/ltss/sle12.5/sles12sp5:latest
libcurl4-7.60.0-11.9.1
Container suse/sles12sp5:latest
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-Azure-BYOS
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-Azure-Basic-On-Demand
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-Azure-HPC-BYOS
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-Azure-HPC-On-Demand
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-Azure-SAP-BYOS
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-Azure-SAP-On-Demand
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-Azure-Standard-On-Demand
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-EC2-BYOS
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-EC2-ECS-On-Demand
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-EC2-On-Demand
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-EC2-SAP-BYOS
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-EC2-SAP-On-Demand
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-GCE-BYOS
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-GCE-On-Demand
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-GCE-SAP-BYOS
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-GCE-SAP-On-Demand
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-OCI-BYOS-BYOS
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-OCI-BYOS-SAP-BYOS
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
SUSE Linux Enterprise Server 12 SP5
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
libcurl4-32bit-7.60.0-11.9.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5
curl-7.60.0-11.9.1
libcurl4-7.60.0-11.9.1
libcurl4-32bit-7.60.0-11.9.1
SUSE Linux Enterprise Software Development Kit 12 SP5
libcurl-devel-7.60.0-11.9.1
Ссылки
- Link for SUSE-SU-2020:3739-1
- E-Mail link for SUSE-SU-2020:3739-1
- SUSE Security Ratings
- SUSE Bug 1179398
- SUSE Bug 1179399
- SUSE Bug 1179593
- SUSE CVE CVE-2020-8284 page
- SUSE CVE CVE-2020-8285 page
- SUSE CVE CVE-2020-8286 page
Описание
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
Затронутые продукты
Container suse/ltss/sle12.5/sles12sp5:latest:libcurl4-7.60.0-11.9.1
Container suse/sles12sp5:latest:libcurl4-7.60.0-11.9.1
Image SLES12-SP5-Azure-BYOS:curl-7.60.0-11.9.1
Image SLES12-SP5-Azure-BYOS:libcurl4-7.60.0-11.9.1
Ссылки
- CVE-2020-8284
- SUSE Bug 1179398
- SUSE Bug 1179399
- SUSE Bug 1186108
Описание
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
Затронутые продукты
Container suse/ltss/sle12.5/sles12sp5:latest:libcurl4-7.60.0-11.9.1
Container suse/sles12sp5:latest:libcurl4-7.60.0-11.9.1
Image SLES12-SP5-Azure-BYOS:curl-7.60.0-11.9.1
Image SLES12-SP5-Azure-BYOS:libcurl4-7.60.0-11.9.1
Ссылки
- CVE-2020-8285
- SUSE Bug 1179399
- SUSE Bug 1186108
Описание
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
Затронутые продукты
Container suse/ltss/sle12.5/sles12sp5:latest:libcurl4-7.60.0-11.9.1
Container suse/sles12sp5:latest:libcurl4-7.60.0-11.9.1
Image SLES12-SP5-Azure-BYOS:curl-7.60.0-11.9.1
Image SLES12-SP5-Azure-BYOS:libcurl4-7.60.0-11.9.1
Ссылки
- CVE-2020-8286
- SUSE Bug 1179593
- SUSE Bug 1186108