Red Hat Security Advisory 2023-2963-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include file download and use-after-free vulnerabilities.
006feb222afe5b1a95cbfec0de94409663f53491d7e4f71e806fdb198dcc2aea
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Low: curl security and bug fix update
Advisory ID: RHSA-2023:2963-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2963
Issue date: 2023-05-16
CVE Names: CVE-2022-35252 CVE-2022-43552
====================================================================
1. Summary:
An update for curl is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64
3. Description:
The curl packages provide the libcurl library and the curl utility for
downloading files from servers using various protocols, including HTTP,
FTP, and LDAP.
Security Fix(es):
* curl: Incorrect handling of control code characters in cookies
(CVE-2022-35252)
* curl: Use-after-free triggered by an HTTP proxy deny response
(CVE-2022-43552)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.8 Release Notes linked from the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2120718 - CVE-2022-35252 curl: Incorrect handling of control code characters in cookies
2139337 - Fall back automagically to HTTP1.1 from HTTP2.0 when performing auth method
2152652 - CVE-2022-43552 curl: Use-after-free triggered by an HTTP proxy deny response
2166254 - curl fails large file downloads for some http2 server
6. Package List:
Red Hat Enterprise Linux BaseOS (v. 8):
Source:
curl-7.61.1-30.el8.src.rpm
aarch64:
curl-7.61.1-30.el8.aarch64.rpm
curl-debuginfo-7.61.1-30.el8.aarch64.rpm
curl-debugsource-7.61.1-30.el8.aarch64.rpm
curl-minimal-debuginfo-7.61.1-30.el8.aarch64.rpm
libcurl-7.61.1-30.el8.aarch64.rpm
libcurl-debuginfo-7.61.1-30.el8.aarch64.rpm
libcurl-devel-7.61.1-30.el8.aarch64.rpm
libcurl-minimal-7.61.1-30.el8.aarch64.rpm
libcurl-minimal-debuginfo-7.61.1-30.el8.aarch64.rpm
ppc64le:
curl-7.61.1-30.el8.ppc64le.rpm
curl-debuginfo-7.61.1-30.el8.ppc64le.rpm
curl-debugsource-7.61.1-30.el8.ppc64le.rpm
curl-minimal-debuginfo-7.61.1-30.el8.ppc64le.rpm
libcurl-7.61.1-30.el8.ppc64le.rpm
libcurl-debuginfo-7.61.1-30.el8.ppc64le.rpm
libcurl-devel-7.61.1-30.el8.ppc64le.rpm
libcurl-minimal-7.61.1-30.el8.ppc64le.rpm
libcurl-minimal-debuginfo-7.61.1-30.el8.ppc64le.rpm
s390x:
curl-7.61.1-30.el8.s390x.rpm
curl-debuginfo-7.61.1-30.el8.s390x.rpm
curl-debugsource-7.61.1-30.el8.s390x.rpm
curl-minimal-debuginfo-7.61.1-30.el8.s390x.rpm
libcurl-7.61.1-30.el8.s390x.rpm
libcurl-debuginfo-7.61.1-30.el8.s390x.rpm
libcurl-devel-7.61.1-30.el8.s390x.rpm
libcurl-minimal-7.61.1-30.el8.s390x.rpm
libcurl-minimal-debuginfo-7.61.1-30.el8.s390x.rpm
x86_64:
curl-7.61.1-30.el8.x86_64.rpm
curl-debuginfo-7.61.1-30.el8.i686.rpm
curl-debuginfo-7.61.1-30.el8.x86_64.rpm
curl-debugsource-7.61.1-30.el8.i686.rpm
curl-debugsource-7.61.1-30.el8.x86_64.rpm
curl-minimal-debuginfo-7.61.1-30.el8.i686.rpm
curl-minimal-debuginfo-7.61.1-30.el8.x86_64.rpm
libcurl-7.61.1-30.el8.i686.rpm
libcurl-7.61.1-30.el8.x86_64.rpm
libcurl-debuginfo-7.61.1-30.el8.i686.rpm
libcurl-debuginfo-7.61.1-30.el8.x86_64.rpm
libcurl-devel-7.61.1-30.el8.i686.rpm
libcurl-devel-7.61.1-30.el8.x86_64.rpm
libcurl-minimal-7.61.1-30.el8.i686.rpm
libcurl-minimal-7.61.1-30.el8.x86_64.rpm
libcurl-minimal-debuginfo-7.61.1-30.el8.i686.rpm
libcurl-minimal-debuginfo-7.61.1-30.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2022-35252
https://access.redhat.com/security/cve/CVE-2022-43552
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZGNu7NzjgjWX9erEAQiiYA/+LOTmv9yZK6GKeddwdBQrjC+qTqPXVS3w
HI4pz5FK7aDXOd1eC3ekH62/lH+0kvJZluY7JEyZr+HBdIPo/KUcKGtZsADsxjZ+
xqD1p8ywfSGPsbgU1sRUnBLy3ViGfvacfRgsiQHOtV523po+u8Mh3D0xz7IMKpNf
56xoq3r8vpzvzdy3G+S+frcDcf0msQz1U9TWegKtbS807FAaBCpyaUS25X4LJYik
g9baa6BuGqXT4abYPgCK+URiQlMFAidSvfg5Er8cBZQveYvp7CLbq04I/h17RYHt
aBcvohkP4BmAHbKWte16YUbzxoOOvAw2sgTOh7gT4P1cbe9WY+ugVDKc823Ze14D
gGjkaSR1bTZmX2FkGXG6JiwwZRJ3DX4LJAjyGsNx9GrE8BSHI5W50wqasDuSgFyB
rT1s/aBK0F6sZXpJVg5URUYVNG6RcnvS5S3SSvkzA+jviKxYraqPIuWhTQ2ygQlt
dQFsuLwZcWJ4Fi59wb1Q/J5cYxfrnf/scIrwuNY/WOGn1peXm5nFRTc1hXegmYLr
/uqbatNZsLPNME8x9TnMf6IhnnYdL5YeVQe/VqaRFK1XgjI3t4sI7serChavrIHS
a/Nxf0PXwvLAOMYflvb7WKH5UukyzhypIqshvTLCie1ZjIyyG5POMruxxLvLGLXY
oqTE0cKjbSo=mFLP
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce