SUSE-SU-2021:1006-1

Опубликовано: 01 апр. 2021

Источник: suse-cvrf

Описание

Security update for curl

This update for curl fixes the following issues:

CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934)
CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933)

Список пакетов

Container bci/bci-init:15.3

libcurl4-7.66.0-4.14.1

Container bci/dotnet-aspnet:3.1

libcurl4-7.66.0-4.14.1

Container bci/dotnet-aspnet:5.0

libcurl4-7.66.0-4.14.1

Container bci/dotnet-aspnet:latest

libcurl4-7.66.0-4.14.1

Container bci/dotnet-runtime:3.1

libcurl4-7.66.0-4.14.1

Container bci/dotnet-runtime:5.0

libcurl4-7.66.0-4.14.1

Container bci/dotnet-runtime:latest

libcurl4-7.66.0-4.14.1

Container bci/dotnet-sdk:3.1

libcurl4-7.66.0-4.14.1

Container bci/dotnet-sdk:5.0

libcurl4-7.66.0-4.14.1

Container bci/dotnet-sdk:latest

libcurl4-7.66.0-4.14.1

Container bci/golang:1.16

libcurl4-7.66.0-4.14.1

Container bci/golang:1.17

libcurl4-7.66.0-4.14.1

Container bci/golang:latest

libcurl4-7.66.0-4.14.1

Container bci/node:12

libcurl4-7.66.0-4.14.1

Container bci/node:14

libcurl4-7.66.0-4.14.1

Container bci/nodejs:latest

libcurl4-7.66.0-4.14.1

Container bci/openjdk-devel:11

libcurl4-7.66.0-4.14.1

Container bci/openjdk:latest

libcurl4-7.66.0-4.14.1

Container bci/python:3

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Container bci/ruby:latest

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Container ses/7.1/ceph/grafana:latest

libcurl4-7.66.0-4.14.1

Container ses/7.1/ceph/haproxy:latest

libcurl4-7.66.0-4.14.1

Container ses/7.1/ceph/keepalived:latest

libcurl4-7.66.0-4.14.1

Container ses/7.1/ceph/prometheus-alertmanager:latest

libcurl4-7.66.0-4.14.1

Container ses/7.1/ceph/prometheus-node-exporter:latest

libcurl4-7.66.0-4.14.1

Container ses/7.1/ceph/prometheus-server:latest

libcurl4-7.66.0-4.14.1

Container ses/7.1/ceph/prometheus-snmp_notifier:latest

libcurl4-7.66.0-4.14.1

Container ses/7.1/cephcsi/cephcsi:latest

libcurl4-7.66.0-4.14.1

Container ses/7.1/cephcsi/csi-attacher:v4.1.0

libcurl4-7.66.0-4.14.1

Container ses/7.1/cephcsi/csi-node-driver-registrar:v2.7.0

libcurl4-7.66.0-4.14.1

Container ses/7.1/cephcsi/csi-provisioner:v3.4.0

libcurl4-7.66.0-4.14.1

Container ses/7.1/cephcsi/csi-resizer:v1.7.0

libcurl4-7.66.0-4.14.1

Container ses/7.1/cephcsi/csi-snapshotter:v6.2.1

libcurl4-7.66.0-4.14.1

Container ses/7.1/rook/ceph:latest

libcurl4-7.66.0-4.14.1

Container ses/7/ceph/grafana:latest

libcurl4-7.66.0-4.14.1

Container ses/7/ceph/prometheus-alertmanager:latest

libcurl4-7.66.0-4.14.1

Container ses/7/ceph/prometheus-node-exporter:latest

libcurl4-7.66.0-4.14.1

Container ses/7/ceph/prometheus-server:latest

libcurl4-7.66.0-4.14.1

Container ses/7/cephcsi/cephcsi:latest

libcurl4-7.66.0-4.14.1

Container ses/7/cephcsi/csi-attacher:v3.3.0

libcurl4-7.66.0-4.14.1

Container ses/7/cephcsi/csi-livenessprobe:v1.1.0

libcurl4-7.66.0-4.14.1

Container ses/7/cephcsi/csi-node-driver-registrar:v2.3.0

libcurl4-7.66.0-4.14.1

Container ses/7/cephcsi/csi-provisioner:v3.0.0

libcurl4-7.66.0-4.14.1

Container ses/7/cephcsi/csi-resizer:v1.3.0

libcurl4-7.66.0-4.14.1

Container ses/7/cephcsi/csi-snapshotter:v2.1.0

libcurl4-7.66.0-4.14.1

Container ses/7/cephcsi/csi-snapshotter:v4.2.0

libcurl4-7.66.0-4.14.1

Container ses/7/prometheus-webhook-snmp:latest

libcurl4-7.66.0-4.14.1

Container ses/7/rook/ceph:latest

libcurl4-7.66.0-4.14.1

Container suse/ltss/sle15.3/bci-base:latest

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Container suse/pcp:latest

libcurl4-7.66.0-4.14.1

Container suse/rmt-mariadb-client:latest

libcurl4-7.66.0-4.14.1

Container suse/rmt-mariadb:latest

libcurl4-7.66.0-4.14.1

Container suse/rmt-nginx:latest

libcurl4-7.66.0-4.14.1

Container suse/rmt-server:latest

libcurl4-7.66.0-4.14.1

Container suse/sle-micro-rancher/5.2:latest

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Container suse/sle-micro/5.1/toolbox:latest

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Container suse/sle-micro/5.2/toolbox:latest

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Container suse/sle15:15.2

libcurl4-7.66.0-4.14.1

Container suse/sle15:15.3

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.2/virt-api:0.38.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.2/virt-controller:0.38.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.2/virt-handler:0.38.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.2/virt-launcher:0.38.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.2/virt-operator:0.38.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.3/cdi-apiserver:1.37.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.3/cdi-cloner:1.37.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.3/cdi-controller:1.37.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.3/cdi-importer:1.37.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.3/cdi-operator:1.37.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.3/cdi-uploadproxy:1.37.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.3/cdi-uploadserver:1.37.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.3/libguestfs-tools:0.45.0

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Container suse/sles/15.3/virt-api:0.45.0

libcurl4-7.66.0-4.14.1

Container suse/sles/15.3/virt-controller:0.45.0

libcurl4-7.66.0-4.14.1

Container suse/sles/15.3/virt-handler:0.45.0

libcurl4-7.66.0-4.14.1

Container suse/sles/15.3/virt-launcher:0.45.0

libcurl4-7.66.0-4.14.1

Container suse/sles/15.3/virt-operator:0.45.0

libcurl4-7.66.0-4.14.1

Container trento/trento-db:latest

libcurl4-7.66.0-4.14.1

Container trento/trento-runner:latest

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-Azure-Basic

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-Azure-Standard

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-BYOS-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-CHOST-BYOS-Aliyun

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-CHOST-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-CHOST-BYOS-EC2

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-CHOST-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-EC2-ECS-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-HPC-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-HPC-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-HPC-BYOS-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-Manager-4-1-Proxy-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-Manager-4-1-Proxy-BYOS-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-Manager-4-1-Proxy-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-Manager-4-1-Server-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-Manager-4-1-Server-BYOS-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-Manager-4-1-Server-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-SAP-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-SAP-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-SAP-BYOS-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-SAP-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-SAP-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP2-SAP-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-BYOS-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-CHOST-BYOS-Aliyun

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-CHOST-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-CHOST-BYOS-EC2

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-CHOST-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-CHOST-BYOS-SAP-CCloud

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-EC2-ECS-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-EC2-HVM

curl-7.66.0-4.14.1

libcurl-devel-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

libcurl4-32bit-7.66.0-4.14.1

Image SLES15-SP3-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-HPC-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-HPC-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-HPC-BYOS-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-HPC-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-Micro-5-1-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-Micro-5-1-BYOS-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-Micro-5-1-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-Micro-5-2-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-Micro-5-2-BYOS-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-Micro-5-2-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-Micro-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-SAP-Azure

curl-7.66.0-4.14.1

libcurl-devel-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

libcurl4-32bit-7.66.0-4.14.1

Image SLES15-SP3-SAP-Azure-LI-BYOS-Production

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-SAP-BYOS-Azure

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-SAP-BYOS-EC2-HVM

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-SAP-BYOS-GCE

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

Image SLES15-SP3-SAP-EC2-HVM

curl-7.66.0-4.14.1

libcurl-devel-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

libcurl4-32bit-7.66.0-4.14.1

Image SLES15-SP3-SAP-GCE

curl-7.66.0-4.14.1

libcurl-devel-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

libcurl4-32bit-7.66.0-4.14.1

Image SLES15-SP3-SAPCAL-Azure

curl-7.66.0-4.14.1

libcurl-devel-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

libcurl4-32bit-7.66.0-4.14.1

Image SLES15-SP3-SAPCAL-EC2-HVM

curl-7.66.0-4.14.1

libcurl-devel-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

libcurl4-32bit-7.66.0-4.14.1

Image SLES15-SP3-SAPCAL-GCE

curl-7.66.0-4.14.1

libcurl-devel-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

libcurl4-32bit-7.66.0-4.14.1

SUSE Linux Enterprise Micro 5.0

curl-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

SUSE Linux Enterprise Module for Basesystem 15 SP2

curl-7.66.0-4.14.1

libcurl-devel-7.66.0-4.14.1

libcurl4-7.66.0-4.14.1

libcurl4-32bit-7.66.0-4.14.1

Ссылки

https://www.suse.com/support/update/announcement/2021/suse-su-20211006-1/
Link for SUSE-SU-2021:1006-1
https://lists.suse.com/pipermail/sle-security-updates/2021-April/008577.html
E-Mail link for SUSE-SU-2021:1006-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1183933
SUSE Bug 1183933
https://bugzilla.suse.com/1183934
SUSE Bug 1183934
https://www.suse.com/security/cve/CVE-2021-22876/
SUSE CVE CVE-2021-22876 page
https://www.suse.com/security/cve/CVE-2021-22890/
SUSE CVE CVE-2021-22890 page

Описание

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Затронутые продукты

Container bci/bci-init:15.3:libcurl4-7.66.0-4.14.1

Container bci/dotnet-aspnet:3.1:libcurl4-7.66.0-4.14.1

Container bci/dotnet-aspnet:5.0:libcurl4-7.66.0-4.14.1

Container bci/dotnet-aspnet:latest:libcurl4-7.66.0-4.14.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-22876.html
CVE-2021-22876
https://bugzilla.suse.com/1183933
SUSE Bug 1183933

Описание

curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

Затронутые продукты

Container bci/bci-init:15.3:libcurl4-7.66.0-4.14.1

Container bci/dotnet-aspnet:3.1:libcurl4-7.66.0-4.14.1

Container bci/dotnet-aspnet:5.0:libcurl4-7.66.0-4.14.1

Container bci/dotnet-aspnet:latest:libcurl4-7.66.0-4.14.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-22890.html
CVE-2021-22890
https://bugzilla.suse.com/1183934
SUSE Bug 1183934