Описание
Security update for curl
This update for curl fixes the following issues:
- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).
- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).
- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).
This update was imported from the SUSE:SLE-15:Update update project.
Список пакетов
openSUSE Leap 15.1
curl-7.60.0-lp151.5.18.1
curl-mini-7.60.0-lp151.5.18.1
libcurl-devel-7.60.0-lp151.5.18.1
libcurl-devel-32bit-7.60.0-lp151.5.18.1
libcurl-mini-devel-7.60.0-lp151.5.18.1
libcurl4-7.60.0-lp151.5.18.1
libcurl4-32bit-7.60.0-lp151.5.18.1
libcurl4-mini-7.60.0-lp151.5.18.1
Ссылки
- E-Mail link for openSUSE-SU-2020:2249-1
- SUSE Security Ratings
- SUSE Bug 1179398
- SUSE Bug 1179399
- SUSE Bug 1179593
- SUSE CVE CVE-2020-8284 page
- SUSE CVE CVE-2020-8285 page
- SUSE CVE CVE-2020-8286 page
Описание
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
Затронутые продукты
openSUSE Leap 15.1:curl-7.60.0-lp151.5.18.1
openSUSE Leap 15.1:curl-mini-7.60.0-lp151.5.18.1
openSUSE Leap 15.1:libcurl-devel-32bit-7.60.0-lp151.5.18.1
openSUSE Leap 15.1:libcurl-devel-7.60.0-lp151.5.18.1
Ссылки
- CVE-2020-8284
- SUSE Bug 1179398
- SUSE Bug 1179399
- SUSE Bug 1186108
Описание
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
Затронутые продукты
openSUSE Leap 15.1:curl-7.60.0-lp151.5.18.1
openSUSE Leap 15.1:curl-mini-7.60.0-lp151.5.18.1
openSUSE Leap 15.1:libcurl-devel-32bit-7.60.0-lp151.5.18.1
openSUSE Leap 15.1:libcurl-devel-7.60.0-lp151.5.18.1
Ссылки
- CVE-2020-8285
- SUSE Bug 1179399
- SUSE Bug 1186108
Описание
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
Затронутые продукты
openSUSE Leap 15.1:curl-7.60.0-lp151.5.18.1
openSUSE Leap 15.1:curl-mini-7.60.0-lp151.5.18.1
openSUSE Leap 15.1:libcurl-devel-32bit-7.60.0-lp151.5.18.1
openSUSE Leap 15.1:libcurl-devel-7.60.0-lp151.5.18.1
Ссылки
- CVE-2020-8286
- SUSE Bug 1179593
- SUSE Bug 1186108