Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:1140: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-23916: A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors.
Red Hat Security Data
#vulnerability#web#linux#red_hat#dos#nodejs#js#java#kubernetes#ldap#aws#ibm

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2023-03-07

Updated:

2023-03-07

RHSA-2023:1140 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: curl security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for curl is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

  • curl: HTTP multi-header compression denial of service (CVE-2023-23916)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2167815 - CVE-2023-23916 curl: HTTP multi-header compression denial of service

Red Hat Enterprise Linux for x86_64 8

SRPM

curl-7.61.1-25.el8_7.3.src.rpm

SHA-256: abee26e3f58f23a55bfe834507c26a2d40e7c5b865e90d80b19fede44a48c270

x86_64

curl-7.61.1-25.el8_7.3.x86_64.rpm

SHA-256: 6a56dcb0c5ff8277ebdc6d8c282a96b7070bf94e6bed576b0f26537e854bc165

curl-debuginfo-7.61.1-25.el8_7.3.i686.rpm

SHA-256: 19a93c31dcf29f41fdf22648da6d59dfd18b1b48b1b6308ed5176e8dabbfabc2

curl-debuginfo-7.61.1-25.el8_7.3.x86_64.rpm

SHA-256: 21c30bea44fc7ecd451b0b76070d7a39991ed03fed2df763c8b4354aa02836be

curl-debugsource-7.61.1-25.el8_7.3.i686.rpm

SHA-256: 90bf17a7bf3c64d976d8e8732a4e8f3e7df6b490c957b71b4bc5119608e0b73d

curl-debugsource-7.61.1-25.el8_7.3.x86_64.rpm

SHA-256: e77bbfb0d014b3879f90d66f86df3793bfa7f87f0db6f26845d92f17d95139c7

curl-minimal-debuginfo-7.61.1-25.el8_7.3.i686.rpm

SHA-256: 0280caca04f99319609a38fae1d2a4d7a1dea42cd8fca790aba1027ac1b72ed5

curl-minimal-debuginfo-7.61.1-25.el8_7.3.x86_64.rpm

SHA-256: 6238ce9fb482e19ef62a39dbcd91783b52a8b8b1eb57adca9ce93f73f5d96c59

libcurl-7.61.1-25.el8_7.3.i686.rpm

SHA-256: 83cef13c91de6d46f895a83d8cf46e46948a7b7de314c550a2dad139c799da8c

libcurl-7.61.1-25.el8_7.3.x86_64.rpm

SHA-256: ff7897f841c7dc867a7dbfb67ac999509ae7f8d14599168cb3605da89596be80

libcurl-debuginfo-7.61.1-25.el8_7.3.i686.rpm

SHA-256: 78faae7153bef10d3973dd8cde7a9bd74071a5d4cbb1de913a847f1890fbadc1

libcurl-debuginfo-7.61.1-25.el8_7.3.x86_64.rpm

SHA-256: e897bd644734e5cc5c5f151166521d0d9c44bd7486c08e7f08d0249290d32025

libcurl-devel-7.61.1-25.el8_7.3.i686.rpm

SHA-256: b55ada9f568dc6439f37bd14fcbc9612060ae8bde518f80efe0fc40cd93c8fb8

libcurl-devel-7.61.1-25.el8_7.3.x86_64.rpm

SHA-256: 4f557b59318ff0806af853530938d4f144764413079cf75c48f223b35ae47806

libcurl-minimal-7.61.1-25.el8_7.3.i686.rpm

SHA-256: 950cc4b3bda34d1f3c0036b0d19f5efbe82f4dabe7ddee27d7db6954e54748db

libcurl-minimal-7.61.1-25.el8_7.3.x86_64.rpm

SHA-256: 6b1596ff1bee09a85b51b02443ef52b56f3a0b194207f0e2d2796a993a71fb0f

libcurl-minimal-debuginfo-7.61.1-25.el8_7.3.i686.rpm

SHA-256: 8aa68758f9589b49596dcde2d4bb459948e9019ec86091bfc23a8375f427d7e3

libcurl-minimal-debuginfo-7.61.1-25.el8_7.3.x86_64.rpm

SHA-256: e4b521ec7d8e19df179bc9151026ddb9182ab43693820c6f37fee5c4ca05213a

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

curl-7.61.1-25.el8_7.3.src.rpm

SHA-256: abee26e3f58f23a55bfe834507c26a2d40e7c5b865e90d80b19fede44a48c270

s390x

curl-7.61.1-25.el8_7.3.s390x.rpm

SHA-256: df18d8a316ee839b4a0bfba2f0624cdf2cb316083b1503cb9d8da7a43e28e009

curl-debuginfo-7.61.1-25.el8_7.3.s390x.rpm

SHA-256: a1ea49a2c236d52068d7bc91eaad7f394f77ed3b12b1568dedb2a4d432a12d3f

curl-debugsource-7.61.1-25.el8_7.3.s390x.rpm

SHA-256: ccfa9fa008dd9ebcc7946f0e1840ae34a5bdad67396bb158ea4a3cbf4bad481e

curl-minimal-debuginfo-7.61.1-25.el8_7.3.s390x.rpm

SHA-256: 06c93d5f9175b5874956c56e164d7c4f247f38bf9f7a593bd791cdb0a8767750

libcurl-7.61.1-25.el8_7.3.s390x.rpm

SHA-256: bee492f448694e0eefc1802ecc16ad2e6287fe4668dd27d350c06e8eef40894c

libcurl-debuginfo-7.61.1-25.el8_7.3.s390x.rpm

SHA-256: e90dd1ab622ed0d7b01474a98d2b9e620c7704bf5b7524ad3b2f6cfab3d248b3

libcurl-devel-7.61.1-25.el8_7.3.s390x.rpm

SHA-256: 8a018aae20a54806a64aa8b1ee34814b3e92fe54ba2b174934dc6dffbaeceddd

libcurl-minimal-7.61.1-25.el8_7.3.s390x.rpm

SHA-256: 26af4211c4e351ccd63979e8f4e77f70b9bf8d896ea46a7b2a586caad646ba3f

libcurl-minimal-debuginfo-7.61.1-25.el8_7.3.s390x.rpm

SHA-256: d10b39687b359aff6b0a254b117196bd02fe32725d85b6484dfc8cdd06770530

Red Hat Enterprise Linux for Power, little endian 8

SRPM

curl-7.61.1-25.el8_7.3.src.rpm

SHA-256: abee26e3f58f23a55bfe834507c26a2d40e7c5b865e90d80b19fede44a48c270

ppc64le

curl-7.61.1-25.el8_7.3.ppc64le.rpm

SHA-256: 640b45617b27678df56013845f5a7870ed0d4a1316d46e5acf079e4547f6b7a8

curl-debuginfo-7.61.1-25.el8_7.3.ppc64le.rpm

SHA-256: 32f83ade30571bbff18d8e4f0fecfeb3e5524663f271b9f671d818f965d668a2

curl-debugsource-7.61.1-25.el8_7.3.ppc64le.rpm

SHA-256: 4094068753354c2121ed23f7c246074465e4797b160703a5e58e148906127359

curl-minimal-debuginfo-7.61.1-25.el8_7.3.ppc64le.rpm

SHA-256: c980ed9c93ad530d5981bcb16c9289b07311e167a3ea9c2d0d3fd8e2c7d1e3d8

libcurl-7.61.1-25.el8_7.3.ppc64le.rpm

SHA-256: b99193b5212b08fb97b0b6daf687e3e3e7ba2df302ea900678398672f86c9b14

libcurl-debuginfo-7.61.1-25.el8_7.3.ppc64le.rpm

SHA-256: 611223e934380a6a7ac213c4263cd71cc437c9cbb4ea85348fb60e5ecb5b74f5

libcurl-devel-7.61.1-25.el8_7.3.ppc64le.rpm

SHA-256: a07d0baa874a8daff2016f32e17e7ba09b11e36ef7677b4a8b5f52e6eda48e63

libcurl-minimal-7.61.1-25.el8_7.3.ppc64le.rpm

SHA-256: ad2b52d393fe2fad81ac8238e94c8851df1abe36a1e457e50e120135a5a3ee29

libcurl-minimal-debuginfo-7.61.1-25.el8_7.3.ppc64le.rpm

SHA-256: 54654be9504a382409722bcd3252f5f2058e0a361d9096f28a11fdaf441b50f8

Red Hat Enterprise Linux for ARM 64 8

SRPM

curl-7.61.1-25.el8_7.3.src.rpm

SHA-256: abee26e3f58f23a55bfe834507c26a2d40e7c5b865e90d80b19fede44a48c270

aarch64

curl-7.61.1-25.el8_7.3.aarch64.rpm

SHA-256: 6d93a2f7326904129eb48222c7a6bc8c81cc33083697655cb5a7814a8c935ada

curl-debuginfo-7.61.1-25.el8_7.3.aarch64.rpm

SHA-256: 52e66548489b262d2e751a0a3df374805120a77736d2f2dd9c88a1b16c71a6f4

curl-debugsource-7.61.1-25.el8_7.3.aarch64.rpm

SHA-256: 0b61c6ac4c86df3ada62642c299191f94760acdd2d943d2e0eee4dbde6a2c3d4

curl-minimal-debuginfo-7.61.1-25.el8_7.3.aarch64.rpm

SHA-256: 94cf6707293d259bf31b63abae1070ea604f15646eb846dd6f9cc2a5ddb0c1d6

libcurl-7.61.1-25.el8_7.3.aarch64.rpm

SHA-256: 7443b2f3d504936546517d74a8bf4e98d1a4f68faceea4c6d07b6fe1587621b8

libcurl-debuginfo-7.61.1-25.el8_7.3.aarch64.rpm

SHA-256: 4bcac2de3e8995cac9c536cdd0a51a6fd5bdc27306bd5d25df3b85962b4432c0

libcurl-devel-7.61.1-25.el8_7.3.aarch64.rpm

SHA-256: fbafd656fb8774ebac22b8a289a60e3354fc1a7c44f230602305e0e467956df6

libcurl-minimal-7.61.1-25.el8_7.3.aarch64.rpm

SHA-256: 41e8d118c941e767ff1b3eb330169ff0e0092bf2fd1211146b112b4cd6a0d0a0

libcurl-minimal-debuginfo-7.61.1-25.el8_7.3.aarch64.rpm

SHA-256: 0c7bb5301fb18c68d6e69012f415b77ef6e9c9172b38c313e1db33de93ab4771

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Gentoo Linux Security Advisory 202310-12

Gentoo Linux Security Advisory 202310-12 - Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. Versions greater than or equal to 8.3.0-r2 are affected.

RHSA-2023:4139: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32221: A vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set if it previously used the same handle to issue a `PUT` request which used that callback...

RHSA-2023:3354: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP2 security update

An update is now available for Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2 on Red Hat Enterprise Linux versions 7 and 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2006-20001: A flaw was found in the mod_dav module of httpd. A specially crafted "If:" request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service. * CVE-2022-4304: A timing-based side channel exists in the Open...

RHSA-2023:0584: Red Hat Security Advisory: Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 security update

Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query ...

Red Hat Security Advisory 2023-2107-01

Red Hat Security Advisory 2023-2107-01 - The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. Issues addressed include a denial of service vulnerability.

RHSA-2023:2104: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.5.8 security updates and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.5.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.

Red Hat Security Advisory 2023-2083-01

Red Hat Security Advisory 2023-2083-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.5 General Availability release images, which fix bugs and security updates container images. Issues addressed include denial of service and server-side request forgery vulnerabilities.

RHSA-2023:2061: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.1.6 security updates and bug fixes

Multicluster Engine for Kubernetes 2.1.6 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.

RHSA-2023:2041: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect ...

Red Hat Security Advisory 2023-2023-01

Red Hat Security Advisory 2023-2023-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

Red Hat Security Advisory 2023-1888-01

Red Hat Security Advisory 2023-1888-01 - Red Hat Advanced Cluster Management for Kubernetes 2.7.3 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include denial of service and server-side request forgery vulnerabilities.

RHSA-2023:1893: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.0 hotfix security update for console

Red Hat Multicluster Engine Hotfix Security Update for Console Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29017: A flaw was found in vm2 where the component was not properly handling asynchronous errors. This flaw allows a remote, unauthenticated attacker to escape the restrictions of the sandbox and execute code on the host. * CVE-2023-29199: There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, al...

RHSA-2023:1888: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.7.3 security fixes and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.7.3 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3841: A Server-Side Request Forgery (SSRF) vulnerability was found in the console API endpoint from Red Hat Advanced Cluster Management for Kubernetes (RHACM). An attacker could take advantage of this as the console API endpoint is missing an authentication check, allowing unauth...

Red Hat Security Advisory 2023-1842-01

Red Hat Security Advisory 2023-1842-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include a denial of service vulnerability.

RHSA-2023:1816: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.12.2 Bug Fix and security update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.12.2 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While ...

RHSA-2023:1701: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-23916: A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors.

Red Hat Security Advisory 2023-1639-01

Red Hat Security Advisory 2023-1639-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-1310-01

Red Hat Security Advisory 2023-1310-01 - An update is now available for Logging Subsystem for Red Hat OpenShift - 5.5.9. Red Hat Product Security has rated this update as having a security impact of Moderate.

RHSA-2023:1310: Red Hat Security Advisory: Logging Subsystem for Red Hat OpenShift - 5.5.9 security update

An update is now available for Logging Subsystem for Red Hat OpenShift - 5.5.9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large...

Red Hat Security Advisory 2023-1448-01

Red Hat Security Advisory 2023-1448-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.

Red Hat Security Advisory 2023-1453-01

Red Hat Security Advisory 2023-1453-01 - An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate.

Red Hat Security Advisory 2023-1454-01

Red Hat Security Advisory 2023-1454-01 - An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Moderate.

RHSA-2023:1454: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant ...

RHSA-2023:1453: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant ...

RHSA-2023:1448: Red Hat Security Advisory: Red Hat OpenShift Service Mesh Containers for 2.3.2 security update

Red Hat OpenShift Service Mesh Containers for 2.3.2 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server t...

RHSA-2023:1428: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.8 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-36567: A flaw was found in gin. This issue occurs when the default Formatter for the Logger middleware (LoggerConfig.Formatter), which is included in the Default engine, allows attackers to inject arbitrary log entries by manipulating the request path. * CVE-2022-24999: A flaw was found in the express.js npm package. Express.js Express is vulnerable to a d...

CVE-2023-25947: en/security-disclosure/2023/2023-03.md · OpenHarmony/security - Gitee.com

The bundle management subsystem within OpenHarmony-v3.1.4 and prior versions has a null pointer reference vulnerability which local attackers can exploit this vulnerability to cause a DoS attack to the system when installing a malicious HAP package.

Red Hat Security Advisory 2023-1140-01

Red Hat Security Advisory 2023-1140-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include a denial of service vulnerability.

Debian Security Advisory 5365-1

Debian Linux Security Advisory 5365-1 - Patrick Monnerat discovered that Curl's support for "chained" HTTP compression algorithms was susceptible to denial of service.

Ubuntu Security Notice USN-5891-1

Ubuntu Security Notice 5891-1 - Harry Sintonen discovered that curl incorrectly handled HSTS support when multiple URLs are requested serially. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. Harry Sintonen discovered that curl incorrectly handled HSTS support when multiple URLs are requested in parallel. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10.

CVE-2023-23916

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.