openSUSE-SU-2020:2238-1

Опубликовано: 13 дек. 2020

Источник: suse-cvrf

Описание

Security update for curl

This update for curl fixes the following issues:

CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).
CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).

This update was imported from the SUSE:SLE-15-SP2:Update update project.

Список пакетов

openSUSE Leap 15.2

curl-7.66.0-lp152.3.12.1

curl-mini-7.66.0-lp152.3.12.1

libcurl-devel-7.66.0-lp152.3.12.1

libcurl-devel-32bit-7.66.0-lp152.3.12.1

libcurl-mini-devel-7.66.0-lp152.3.12.1

libcurl4-7.66.0-lp152.3.12.1

libcurl4-32bit-7.66.0-lp152.3.12.1

libcurl4-mini-7.66.0-lp152.3.12.1

Ссылки

https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PRXMLUV5IZ4L22JUMUBU3FUW7BWHV7J7/
E-Mail link for openSUSE-SU-2020:2238-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1179398
SUSE Bug 1179398
https://bugzilla.suse.com/1179399
SUSE Bug 1179399
https://bugzilla.suse.com/1179593
SUSE Bug 1179593
https://www.suse.com/security/cve/CVE-2020-8284/
SUSE CVE CVE-2020-8284 page
https://www.suse.com/security/cve/CVE-2020-8285/
SUSE CVE CVE-2020-8285 page
https://www.suse.com/security/cve/CVE-2020-8286/
SUSE CVE CVE-2020-8286 page

Описание

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

Затронутые продукты

openSUSE Leap 15.2:curl-7.66.0-lp152.3.12.1

openSUSE Leap 15.2:curl-mini-7.66.0-lp152.3.12.1

openSUSE Leap 15.2:libcurl-devel-32bit-7.66.0-lp152.3.12.1

openSUSE Leap 15.2:libcurl-devel-7.66.0-lp152.3.12.1

Ссылки

https://www.suse.com/security/cve/CVE-2020-8284.html
CVE-2020-8284
https://bugzilla.suse.com/1179398
SUSE Bug 1179398
https://bugzilla.suse.com/1179399
SUSE Bug 1179399
https://bugzilla.suse.com/1186108
SUSE Bug 1186108

Описание

curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.

Затронутые продукты

openSUSE Leap 15.2:curl-7.66.0-lp152.3.12.1

openSUSE Leap 15.2:curl-mini-7.66.0-lp152.3.12.1

openSUSE Leap 15.2:libcurl-devel-32bit-7.66.0-lp152.3.12.1

openSUSE Leap 15.2:libcurl-devel-7.66.0-lp152.3.12.1

Ссылки

https://www.suse.com/security/cve/CVE-2020-8285.html
CVE-2020-8285
https://bugzilla.suse.com/1179399
SUSE Bug 1179399
https://bugzilla.suse.com/1186108
SUSE Bug 1186108

Описание

curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.

Затронутые продукты

openSUSE Leap 15.2:curl-7.66.0-lp152.3.12.1

openSUSE Leap 15.2:curl-mini-7.66.0-lp152.3.12.1

openSUSE Leap 15.2:libcurl-devel-32bit-7.66.0-lp152.3.12.1

openSUSE Leap 15.2:libcurl-devel-7.66.0-lp152.3.12.1

Ссылки

https://www.suse.com/security/cve/CVE-2020-8286.html
CVE-2020-8286
https://bugzilla.suse.com/1179593
SUSE Bug 1179593
https://bugzilla.suse.com/1186108
SUSE Bug 1186108

openSUSE-SU-2020:2238-1

Описание

Список пакетов

openSUSE Leap 15.2

Ссылки

Уязвимость: CVE-2020-8284

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2020-8285

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2020-8286

Описание

Затронутые продукты

Ссылки