SUSE-SU-2021:1809-1

Опубликовано: 31 мая 2021

Источник: suse-cvrf

Описание

Security update for curl

This update for curl fixes the following issues:

CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933).
CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976).
Allow partial chain verification (jsc#SLE-17956).

Список пакетов

Container caasp/v4/389-ds:1.4.2

libcurl4-7.60.0-3.42.1

Container caasp/v4/busybox:1.34.1

libcurl4-7.60.0-3.42.1

Container caasp/v4/caasp-dex:2.16.0

libcurl4-7.60.0-3.42.1

Container caasp/v4/cert-exporter:2.3.0

libcurl4-7.60.0-3.42.1

Container caasp/v4/cilium-etcd-operator:2.0.5

libcurl4-7.60.0-3.42.1

Container caasp/v4/cilium-init:1.5.3

libcurl4-7.60.0-3.42.1

Container caasp/v4/cilium-operator:1.6.6

libcurl4-7.60.0-3.42.1

Container caasp/v4/cilium:1.6.6

libcurl4-7.60.0-3.42.1

Container caasp/v4/cloud-provider-openstack:1.15.0

libcurl4-7.60.0-3.42.1

Container caasp/v4/configmap-reload:0.3.0

libcurl4-7.60.0-3.42.1

Container caasp/v4/coredns:1.6.7

libcurl4-7.60.0-3.42.1

Container caasp/v4/curl:7.60.0

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Container caasp/v4/etcd:3.4.13

libcurl4-7.60.0-3.42.1

Container caasp/v4/gangway:3.1.0

libcurl4-7.60.0-3.42.1

Container caasp/v4/grafana:7.5.12

libcurl4-7.60.0-3.42.1

Container caasp/v4/helm-tiller:2.16.12

libcurl4-7.60.0-3.42.1

Container caasp/v4/hyperkube:v1.17.17

libcurl4-7.60.0-3.42.1

Container caasp/v4/k8s-sidecar:0.1.75

libcurl4-7.60.0-3.42.1

Container caasp/v4/kube-state-metrics:1.9.3

libcurl4-7.60.0-3.42.1

Container caasp/v4/kubernetes-client:1.17.17

libcurl4-7.60.0-3.42.1

Container caasp/v4/kucero:1.3.0

libcurl4-7.60.0-3.42.1

Container caasp/v4/kured:1.3.0

libcurl4-7.60.0-3.42.1

Container caasp/v4/metrics-server:0.3.6

libcurl4-7.60.0-3.42.1

Container caasp/v4/prometheus-alertmanager:0.16.2

libcurl4-7.60.0-3.42.1

Container caasp/v4/prometheus-node-exporter:1.1.2

libcurl4-7.60.0-3.42.1

Container caasp/v4/prometheus-pushgateway:0.6.0

libcurl4-7.60.0-3.42.1

Container caasp/v4/prometheus-server:2.7.1

libcurl4-7.60.0-3.42.1

Container caasp/v4/rsyslog:8.39.0

libcurl4-7.60.0-3.42.1

Container caasp/v4/skuba-tooling:0.1.0

libcurl4-7.60.0-3.42.1

Container caasp/v4/test-update:beta

libcurl4-7.60.0-3.42.1

Container caasp/v4/velero-plugin-for-aws:1.0.1

libcurl4-7.60.0-3.42.1

Container caasp/v4/velero-plugin-for-gcp:1.0.1

libcurl4-7.60.0-3.42.1

Container caasp/v4/velero-plugin-for-microsoft-azure:1.0.1

libcurl4-7.60.0-3.42.1

Container caasp/v4/velero-restic-restore-helper:1.3.1

libcurl4-7.60.0-3.42.1

Container caasp/v4/velero:1.3.1

libcurl4-7.60.0-3.42.1

Container ses/6/cephcsi/cephcsi:latest

libcurl4-7.60.0-3.42.1

Container ses/6/rook/ceph:latest

libcurl4-7.60.0-3.42.1

Container suse/sle15:15.0

libcurl4-7.60.0-3.42.1

Container suse/sle15:15.1

libcurl4-7.60.0-3.42.1

Image SLES15-Azure-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-EC2-CHOST-HVM-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-EC2-HVM-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-GCE-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SAP-Azure

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SAP-Azure-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SAP-Azure-LI-BYOS-Production

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SAP-Azure-VLI-BYOS-Production

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SAP-EC2-HVM

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SAP-EC2-HVM-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SAP-GCE

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SAP-GCE-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-Azure-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-Azure-HPC-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-CHOST-BYOS-Azure

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-CHOST-BYOS-EC2

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-CHOST-BYOS-GCE

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-EC2-HPC-HVM-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-EC2-HVM-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-GCE-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-SAP-Azure

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-SAP-Azure-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-SAP-Azure-LI-BYOS-Production

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-SAP-EC2-HVM

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-SAP-EC2-HVM-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-SAP-GCE

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-SAP-GCE-BYOS

curl-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-SAPCAL-Azure

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-SAPCAL-EC2-HVM

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

Image SLES15-SP1-SAPCAL-GCE

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

SUSE Enterprise Storage 6

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

libcurl4-32bit-7.60.0-3.42.1

SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

libcurl4-32bit-7.60.0-3.42.1

SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

libcurl4-32bit-7.60.0-3.42.1

SUSE Linux Enterprise High Performance Computing 15-ESPOS

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

libcurl4-32bit-7.60.0-3.42.1

SUSE Linux Enterprise High Performance Computing 15-LTSS

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

libcurl4-32bit-7.60.0-3.42.1

SUSE Linux Enterprise Server 15 SP1-BCL

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

libcurl4-32bit-7.60.0-3.42.1

SUSE Linux Enterprise Server 15 SP1-LTSS

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

libcurl4-32bit-7.60.0-3.42.1

SUSE Linux Enterprise Server 15-LTSS

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

libcurl4-32bit-7.60.0-3.42.1

SUSE Linux Enterprise Server for SAP Applications 15

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

libcurl4-32bit-7.60.0-3.42.1

SUSE Linux Enterprise Server for SAP Applications 15 SP1

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

libcurl4-32bit-7.60.0-3.42.1

SUSE Manager Proxy 4.0

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

libcurl4-32bit-7.60.0-3.42.1

SUSE Manager Retail Branch Server 4.0

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

libcurl4-32bit-7.60.0-3.42.1

SUSE Manager Server 4.0

curl-7.60.0-3.42.1

libcurl-devel-7.60.0-3.42.1

libcurl4-7.60.0-3.42.1

libcurl4-32bit-7.60.0-3.42.1

Ссылки

https://www.suse.com/support/update/announcement/2021/suse-su-20211809-1/
Link for SUSE-SU-2021:1809-1
https://lists.suse.com/pipermail/sle-security-updates/2021-May/008887.html
E-Mail link for SUSE-SU-2021:1809-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1177976
SUSE Bug 1177976
https://bugzilla.suse.com/1183933
SUSE Bug 1183933
https://bugzilla.suse.com/1186114
SUSE Bug 1186114
https://www.suse.com/security/cve/CVE-2021-22876/
SUSE CVE CVE-2021-22876 page
https://www.suse.com/security/cve/CVE-2021-22898/
SUSE CVE CVE-2021-22898 page

Описание

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

Затронутые продукты

Container caasp/v4/389-ds:1.4.2:libcurl4-7.60.0-3.42.1

Container caasp/v4/busybox:1.34.1:libcurl4-7.60.0-3.42.1

Container caasp/v4/caasp-dex:2.16.0:libcurl4-7.60.0-3.42.1

Container caasp/v4/cert-exporter:2.3.0:libcurl4-7.60.0-3.42.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-22876.html
CVE-2021-22876
https://bugzilla.suse.com/1183933
SUSE Bug 1183933

Описание

curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.

Затронутые продукты

Container caasp/v4/389-ds:1.4.2:libcurl4-7.60.0-3.42.1

Container caasp/v4/busybox:1.34.1:libcurl4-7.60.0-3.42.1

Container caasp/v4/caasp-dex:2.16.0:libcurl4-7.60.0-3.42.1

Container caasp/v4/cert-exporter:2.3.0:libcurl4-7.60.0-3.42.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-22898.html
CVE-2021-22898
https://bugzilla.suse.com/1186114
SUSE Bug 1186114
https://bugzilla.suse.com/1192450
SUSE Bug 1192450