Headline
Red Hat Security Advisory 2023-4139-01
Red Hat Security Advisory 2023-4139-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include a denial of service vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: curl security update
Advisory ID: RHSA-2023:4139-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4139
Issue date: 2023-07-18
CVE Names: CVE-2022-32221 CVE-2023-23916
=====================================================================
- Summary:
An update for curl is now available for Red Hat Enterprise Linux 9.0
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS EUS (v.9.0) - aarch64, ppc64le, s390x, x86_64
- Description:
The curl packages provide the libcurl library and the curl utility for
downloading files from servers using various protocols, including HTTP,
FTP, and LDAP.
Security Fix(es):
curl: POST following PUT confusion (CVE-2022-32221)
curl: HTTP multi-header compression denial of service (CVE-2023-23916)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2135411 - CVE-2022-32221 curl: POST following PUT confusion
2167815 - CVE-2023-23916 curl: HTTP multi-header compression denial of service
- Package List:
Red Hat Enterprise Linux AppStream EUS (v.9.0):
aarch64:
curl-debuginfo-7.76.1-14.el9_0.6.aarch64.rpm
curl-debugsource-7.76.1-14.el9_0.6.aarch64.rpm
curl-minimal-debuginfo-7.76.1-14.el9_0.6.aarch64.rpm
libcurl-debuginfo-7.76.1-14.el9_0.6.aarch64.rpm
libcurl-devel-7.76.1-14.el9_0.6.aarch64.rpm
libcurl-minimal-debuginfo-7.76.1-14.el9_0.6.aarch64.rpm
ppc64le:
curl-debuginfo-7.76.1-14.el9_0.6.ppc64le.rpm
curl-debugsource-7.76.1-14.el9_0.6.ppc64le.rpm
curl-minimal-debuginfo-7.76.1-14.el9_0.6.ppc64le.rpm
libcurl-debuginfo-7.76.1-14.el9_0.6.ppc64le.rpm
libcurl-devel-7.76.1-14.el9_0.6.ppc64le.rpm
libcurl-minimal-debuginfo-7.76.1-14.el9_0.6.ppc64le.rpm
s390x:
curl-debuginfo-7.76.1-14.el9_0.6.s390x.rpm
curl-debugsource-7.76.1-14.el9_0.6.s390x.rpm
curl-minimal-debuginfo-7.76.1-14.el9_0.6.s390x.rpm
libcurl-debuginfo-7.76.1-14.el9_0.6.s390x.rpm
libcurl-devel-7.76.1-14.el9_0.6.s390x.rpm
libcurl-minimal-debuginfo-7.76.1-14.el9_0.6.s390x.rpm
x86_64:
curl-debuginfo-7.76.1-14.el9_0.6.i686.rpm
curl-debuginfo-7.76.1-14.el9_0.6.x86_64.rpm
curl-debugsource-7.76.1-14.el9_0.6.i686.rpm
curl-debugsource-7.76.1-14.el9_0.6.x86_64.rpm
curl-minimal-debuginfo-7.76.1-14.el9_0.6.i686.rpm
curl-minimal-debuginfo-7.76.1-14.el9_0.6.x86_64.rpm
libcurl-debuginfo-7.76.1-14.el9_0.6.i686.rpm
libcurl-debuginfo-7.76.1-14.el9_0.6.x86_64.rpm
libcurl-devel-7.76.1-14.el9_0.6.i686.rpm
libcurl-devel-7.76.1-14.el9_0.6.x86_64.rpm
libcurl-minimal-debuginfo-7.76.1-14.el9_0.6.i686.rpm
libcurl-minimal-debuginfo-7.76.1-14.el9_0.6.x86_64.rpm
Red Hat Enterprise Linux BaseOS EUS (v.9.0):
Source:
curl-7.76.1-14.el9_0.6.src.rpm
aarch64:
curl-7.76.1-14.el9_0.6.aarch64.rpm
curl-debuginfo-7.76.1-14.el9_0.6.aarch64.rpm
curl-debugsource-7.76.1-14.el9_0.6.aarch64.rpm
curl-minimal-7.76.1-14.el9_0.6.aarch64.rpm
curl-minimal-debuginfo-7.76.1-14.el9_0.6.aarch64.rpm
libcurl-7.76.1-14.el9_0.6.aarch64.rpm
libcurl-debuginfo-7.76.1-14.el9_0.6.aarch64.rpm
libcurl-minimal-7.76.1-14.el9_0.6.aarch64.rpm
libcurl-minimal-debuginfo-7.76.1-14.el9_0.6.aarch64.rpm
ppc64le:
curl-7.76.1-14.el9_0.6.ppc64le.rpm
curl-debuginfo-7.76.1-14.el9_0.6.ppc64le.rpm
curl-debugsource-7.76.1-14.el9_0.6.ppc64le.rpm
curl-minimal-7.76.1-14.el9_0.6.ppc64le.rpm
curl-minimal-debuginfo-7.76.1-14.el9_0.6.ppc64le.rpm
libcurl-7.76.1-14.el9_0.6.ppc64le.rpm
libcurl-debuginfo-7.76.1-14.el9_0.6.ppc64le.rpm
libcurl-minimal-7.76.1-14.el9_0.6.ppc64le.rpm
libcurl-minimal-debuginfo-7.76.1-14.el9_0.6.ppc64le.rpm
s390x:
curl-7.76.1-14.el9_0.6.s390x.rpm
curl-debuginfo-7.76.1-14.el9_0.6.s390x.rpm
curl-debugsource-7.76.1-14.el9_0.6.s390x.rpm
curl-minimal-7.76.1-14.el9_0.6.s390x.rpm
curl-minimal-debuginfo-7.76.1-14.el9_0.6.s390x.rpm
libcurl-7.76.1-14.el9_0.6.s390x.rpm
libcurl-debuginfo-7.76.1-14.el9_0.6.s390x.rpm
libcurl-minimal-7.76.1-14.el9_0.6.s390x.rpm
libcurl-minimal-debuginfo-7.76.1-14.el9_0.6.s390x.rpm
x86_64:
curl-7.76.1-14.el9_0.6.x86_64.rpm
curl-debuginfo-7.76.1-14.el9_0.6.i686.rpm
curl-debuginfo-7.76.1-14.el9_0.6.x86_64.rpm
curl-debugsource-7.76.1-14.el9_0.6.i686.rpm
curl-debugsource-7.76.1-14.el9_0.6.x86_64.rpm
curl-minimal-7.76.1-14.el9_0.6.x86_64.rpm
curl-minimal-debuginfo-7.76.1-14.el9_0.6.i686.rpm
curl-minimal-debuginfo-7.76.1-14.el9_0.6.x86_64.rpm
libcurl-7.76.1-14.el9_0.6.i686.rpm
libcurl-7.76.1-14.el9_0.6.x86_64.rpm
libcurl-debuginfo-7.76.1-14.el9_0.6.i686.rpm
libcurl-debuginfo-7.76.1-14.el9_0.6.x86_64.rpm
libcurl-minimal-7.76.1-14.el9_0.6.i686.rpm
libcurl-minimal-7.76.1-14.el9_0.6.x86_64.rpm
libcurl-minimal-debuginfo-7.76.1-14.el9_0.6.i686.rpm
libcurl-minimal-debuginfo-7.76.1-14.el9_0.6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-32221
https://access.redhat.com/security/cve/CVE-2023-23916
https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJktmwhAAoJENzjgjWX9erERi8P/2SDDRgrMlMpO4mXOQOHpnBc
sDfOVF79svk3OP6kjP2zVTGOOVjsUneyROB9GWyuPPjXxJGVBPGibuAPWwD6ismM
HSsoPAxZjFVJiaf8aoeJorDS/DNQbYV1pvUrhMqVNWgoobyMMFHrWMvniz+mBUve
TquHFuWcu5/5a48KGtTa6fLZlnby5bII/saN1+gIadA57iTL+JNLf/6emT15LGab
1JvQMg5qA5IiW2mzQFLdW/diUJSI9Kp1VZllAT6FenMlSVU/tZ5oaILvmRbnIBdC
3UNZfrJHr8R3D/Go/7mtcxyA9w/kqY1JQS+hhepApZxxFa1x7sAWc7CjNE0NslqA
QScUuV4lRiiXVCSERBYJ8r3Wd0yQ1yA8cKq48GDQLpBPMS62yeUANPGykBvB54MW
DYj0EWmjwKTZQvnDrKczMA2g1HEIEoGsp84XgZu2xRX6V5uXKjFVTxJNVnPCOlt6
67VZdr3D8LgE88+7ON7cEoumzk2i7mjZvO9KFioifb8vOll1zGNt0PhvSdNCj7A7
eQKZRNiwM7Jq60uvX5Ej3CDR6ih+hvY0l/g5aQHhBwvI9OXAt3CotqivY8mZkPWo
aZ97c6+XBqH4oVagM2ytYlV0CqWvlFOUROoTlM9uapBL9NYGG4/unbtMPQyX4y+B
sCjCekvuX9Rj0R7DT/vf
=PgSQ
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Gentoo Linux Security Advisory 202310-12 - Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. Versions greater than or equal to 8.3.0-r2 are affected.
An update for curl is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32221: A vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set if it previously used the same handle to issue a `PUT` request which used that callback...
Red Hat Security Advisory 2023-2104-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-2098-01 - Multicluster Engine for Kubernetes 2.0.8 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.
Red Hat Advanced Cluster Management for Kubernetes 2.5.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
Red Hat Security Advisory 2023-2061-01 - Multicluster Engine for Kubernetes 2.1.6 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.
Multicluster Engine for Kubernetes 2.1.6 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
Red Hat Security Advisory 2023-1816-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.
Red Hat Security Advisory 2023-1310-01 - An update is now available for Logging Subsystem for Red Hat OpenShift - 5.5.9. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat Security Advisory 2023-1448-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.
Red Hat OpenShift Service Mesh Containers for 2.3.2 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server t...
The Migration Toolkit for Containers (MTC) 1.7.8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2022-24999: A flaw was found in the express.js npm package. Express.js Express is vulnerable to a d...
The issue was addressed with improved handling of caches. This issue is fixed in macOS Ventura 13.2, tvOS 16.3, iOS 16.3 and iPadOS 16.3, watchOS 9.3. Visiting a website may lead to an app denial-of-service.
Debian Linux Security Advisory 5330-1 - Two vulnerabilities were discovered in Curl, an easy-to-use client-side URL transfer library, which could result in denial of service or information disclosure.
Apple Security Advisory 2023-01-23-5 - macOS Monterey 12.6.3 addresses buffer overflow, bypass, code execution, and information leakage vulnerabilities.
Apple Security Advisory 2023-01-23-4 - macOS Ventura 13.2 addresses buffer overflow, bypass, code execution, information leakage, and use-after-free vulnerabilities.
An update for curl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32221: curl: POST following PUT confusion
Red Hat Security Advisory 2022-8840-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include buffer overflow, bypass, code execution, denial of service, double free, and out of bounds read vulnerabilities.
An update is now available for Red Hat JBoss Core Services. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1292: openssl: c_rehash script allows command injection * CVE-2022-2068: openssl: the c_rehash script allows command injection * CVE-2022-22721: httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody * CVE-2022-23943: httpd: mod_sed: Read/write beyond bounds * CVE-2022-26377: httpd: mod_proxy_ajp: Possible request smuggling * CVE-20...
When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously was used to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is changed from a PUT to a POST.
Ubuntu Security Notice 5702-1 - Robby Simpson discovered that curl incorrectly handled certain POST operations after PUT operations. This issue could cause applications using curl to send the wrong data, perform incorrect memory operations, or crash. Hiroki Kurosawa discovered that curl incorrectly handled parsing .netrc files. If an attacker were able to provide a specially crafted .netrc file, this issue could cause curl to crash, resulting in a denial of service. This issue only affected Ubuntu 22.10.