SUSE-SU-2022:1657-1

Опубликовано: 13 мая 2022

Источник: suse-cvrf

Описание

Security update for curl

This update for curl fixes the following issues:

CVE-2022-27776: Fixed auth/cookie leak on redirect (bsc#1198766)
CVE-2022-27775: Fixed bad local IPv6 connection reuse (bsc#1198723)
CVE-2022-22576: Fixed OAUTH2 bearer bypass in connection re-use (bsc#1198614)

Список пакетов

Container bci/bci-init:15.3

libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-aspnet:3.1

libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-aspnet:5.0

libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-aspnet:latest

libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-runtime:3.1

libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-runtime:5.0

libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-runtime:latest

libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-sdk:3.1

libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-sdk:5.0

libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-sdk:latest

libcurl4-7.66.0-150200.4.30.1

Container bci/golang:1.16

libcurl4-7.66.0-150200.4.30.1

Container bci/golang:1.17

libcurl4-7.66.0-150200.4.30.1

Container bci/golang:latest

libcurl4-7.66.0-150200.4.30.1

Container bci/node:12

libcurl4-7.66.0-150200.4.30.1

Container bci/node:14

libcurl4-7.66.0-150200.4.30.1

Container bci/nodejs:latest

libcurl4-7.66.0-150200.4.30.1

Container bci/openjdk-devel:11

libcurl4-7.66.0-150200.4.30.1

Container bci/openjdk:latest

libcurl4-7.66.0-150200.4.30.1

Container bci/python:3

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Container bci/ruby:latest

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/ceph/grafana:latest

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/ceph/haproxy:latest

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/ceph/keepalived:latest

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/ceph/prometheus-alertmanager:latest

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/ceph/prometheus-node-exporter:latest

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/ceph/prometheus-server:latest

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/ceph/prometheus-snmp_notifier:latest

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/cephcsi/cephcsi:latest

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/cephcsi/csi-attacher:v4.1.0

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/cephcsi/csi-node-driver-registrar:v2.7.0

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/cephcsi/csi-provisioner:v3.4.0

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/cephcsi/csi-resizer:v1.7.0

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/cephcsi/csi-snapshotter:v6.2.1

libcurl4-7.66.0-150200.4.30.1

Container ses/7.1/rook/ceph:latest

libcurl4-7.66.0-150200.4.30.1

Container suse/ltss/sle15.3/bci-base:latest

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Container suse/pcp:latest

libcurl4-7.66.0-150200.4.30.1

Container suse/rmt-mariadb-client:latest

libcurl4-7.66.0-150200.4.30.1

Container suse/rmt-mariadb:latest

libcurl4-7.66.0-150200.4.30.1

Container suse/rmt-nginx:latest

libcurl4-7.66.0-150200.4.30.1

Container suse/rmt-server:latest

libcurl4-7.66.0-150200.4.30.1

Container suse/sle-micro-rancher/5.2:latest

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Container suse/sle-micro/5.1/toolbox:latest

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Container suse/sle-micro/5.2/toolbox:latest

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Container suse/sle15:15.2

libcurl4-7.66.0-150200.4.30.1

Container suse/sle15:15.3

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Container trento/trento-db:latest

libcurl4-7.66.0-150200.4.30.1

Container trento/trento-runner:latest

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-BYOS-Azure

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-BYOS-EC2-HVM

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-BYOS-GCE

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-CHOST-BYOS-Aliyun

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-CHOST-BYOS-Azure

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-CHOST-BYOS-EC2

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-CHOST-BYOS-GCE

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-HPC-BYOS-Azure

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-HPC-BYOS-EC2-HVM

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-SAP-Azure

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-SAP-Azure-LI-BYOS-Production

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-SAP-BYOS-Azure

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-SAP-BYOS-EC2-HVM

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-SAP-BYOS-GCE

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-SAP-EC2-HVM

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP2-SAP-GCE

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-BYOS-Azure

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-BYOS-EC2-HVM

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-BYOS-GCE

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-CHOST-BYOS-Aliyun

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-CHOST-BYOS-Azure

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-CHOST-BYOS-EC2

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-CHOST-BYOS-GCE

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-CHOST-BYOS-SAP-CCloud

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-GCE

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-HPC-BYOS-Azure

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-HPC-BYOS-EC2-HVM

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-HPC-BYOS-GCE

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-Manager-4-2-Proxy-BYOS-Azure

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-Manager-4-2-Proxy-BYOS-EC2-HVM

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-Manager-4-2-Proxy-BYOS-GCE

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-Micro-5-1-BYOS-Azure

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-Micro-5-1-BYOS-EC2-HVM

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-Micro-5-1-BYOS-GCE

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-Micro-5-2-BYOS-Azure

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-Micro-5-2-BYOS-EC2-HVM

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-Micro-5-2-BYOS-GCE

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-SAP-Azure-LI-BYOS-Production

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-SAP-BYOS-Azure

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-SAP-BYOS-EC2-HVM

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-SAP-BYOS-GCE

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

Image SLES15-SP3-SAPCAL-Azure

curl-7.66.0-150200.4.30.1

libcurl-devel-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

libcurl4-32bit-7.66.0-150200.4.30.1

Image SLES15-SP3-SAPCAL-EC2-HVM

curl-7.66.0-150200.4.30.1

libcurl-devel-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

libcurl4-32bit-7.66.0-150200.4.30.1

Image SLES15-SP3-SAPCAL-GCE

curl-7.66.0-150200.4.30.1

libcurl-devel-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

libcurl4-32bit-7.66.0-150200.4.30.1

SUSE Linux Enterprise Micro 5.1

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

SUSE Linux Enterprise Micro 5.2

curl-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

SUSE Linux Enterprise Module for Basesystem 15 SP3

curl-7.66.0-150200.4.30.1

libcurl-devel-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

libcurl4-32bit-7.66.0-150200.4.30.1

openSUSE Leap 15.3

curl-7.66.0-150200.4.30.1

libcurl-devel-7.66.0-150200.4.30.1

libcurl-devel-32bit-7.66.0-150200.4.30.1

libcurl4-7.66.0-150200.4.30.1

libcurl4-32bit-7.66.0-150200.4.30.1

Ссылки

https://www.suse.com/support/update/announcement/2022/suse-su-20221657-1/
Link for SUSE-SU-2022:1657-1
https://lists.suse.com/pipermail/sle-security-updates/2022-May/010999.html
E-Mail link for SUSE-SU-2022:1657-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1198614
SUSE Bug 1198614
https://bugzilla.suse.com/1198723
SUSE Bug 1198723
https://bugzilla.suse.com/1198766
SUSE Bug 1198766
https://www.suse.com/security/cve/CVE-2022-22576/
SUSE CVE CVE-2022-22576 page
https://www.suse.com/security/cve/CVE-2022-27775/
SUSE CVE CVE-2022-27775 page
https://www.suse.com/security/cve/CVE-2022-27776/
SUSE CVE CVE-2022-27776 page

Описание

An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).

Затронутые продукты

Container bci/bci-init:15.3:libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-aspnet:3.1:libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-aspnet:5.0:libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-aspnet:latest:libcurl4-7.66.0-150200.4.30.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-22576.html
CVE-2022-22576
https://bugzilla.suse.com/1198614
SUSE Bug 1198614

Описание

An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.

Затронутые продукты

Container bci/bci-init:15.3:libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-aspnet:3.1:libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-aspnet:5.0:libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-aspnet:latest:libcurl4-7.66.0-150200.4.30.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-27775.html
CVE-2022-27775
https://bugzilla.suse.com/1198723
SUSE Bug 1198723

Описание

A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

Затронутые продукты

Container bci/bci-init:15.3:libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-aspnet:3.1:libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-aspnet:5.0:libcurl4-7.66.0-150200.4.30.1

Container bci/dotnet-aspnet:latest:libcurl4-7.66.0-150200.4.30.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-27776.html
CVE-2022-27776
https://bugzilla.suse.com/1198766
SUSE Bug 1198766