Описание
Security update for curl
This update for curl fixes the following issues:
- CVE-2022-35252: Fixed a potential injection of control characters into cookies (bsc#1202593).
- CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383).
Список пакетов
Container suse/sles12sp4:latest
Image SLES12-SP4-SAP-Azure-LI-BYOS-Production
Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production
SUSE Linux Enterprise Server 12 SP4-LTSS
SUSE Linux Enterprise Server for SAP Applications 12 SP4
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 9
Ссылки
- Link for SUSE-SU-2022:3772-1
- E-Mail link for SUSE-SU-2022:3772-1
- SUSE Security Ratings
- SUSE Bug 1202593
- SUSE Bug 1204383
- SUSE CVE CVE-2022-32221 page
- SUSE CVE CVE-2022-35252 page
Описание
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
Затронутые продукты
Ссылки
- CVE-2022-32221
- SUSE Bug 1204383
- SUSE Bug 1205287
- SUSE Bug 1205834
- SUSE Bug 1206236
- SUSE Bug 1208340
- SUSE Bug 1211233
Описание
When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.
Затронутые продукты
Ссылки
- CVE-2022-35252
- SUSE Bug 1202593