Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:2963: Red Hat Security Advisory: curl security and bug fix update

An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-35252: A vulnerability found in curl. This security flaw happens when curl is used to retrieve and parse cookies from an HTTP(S) server, where it accepts cookies using control codes (byte values below 32), and also when cookies that contain such control codes are later sent back to an HTTP(S) server, possibly causing the server to return a 400 response. This issue effectively allows a “sister site” to deny service to siblings and cause a denial of service attack.
  • CVE-2022-43552: A vulnerability was found in curl. In this issue, curl can be asked to tunnel all protocols virtually it supports through an HTTP proxy. HTTP proxies can deny these tunnel operations using an appropriate HTTP error response code. When getting denied to tunnel the specific SMB or TELNET protocols, curl can use a heap-allocated struct after it has been freed and shut down the code path in its transfer.
Red Hat Security Data
#vulnerability#web#linux#red_hat#dos#nodejs#js#java#kubernetes#ldap#samba#aws#auth#telnet#ibm

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2023-05-16

Updated:

2023-05-16

RHSA-2023:2963 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Low: curl security and bug fix update

Type/Severity

Security Advisory: Low

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for curl is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

  • curl: Incorrect handling of control code characters in cookies (CVE-2022-35252)
  • curl: Use-after-free triggered by an HTTP proxy deny response (CVE-2022-43552)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2120718 - CVE-2022-35252 curl: Incorrect handling of control code characters in cookies
  • BZ - 2139337 - Fall back automagically to HTTP1.1 from HTTP2.0 when performing auth method
  • BZ - 2152652 - CVE-2022-43552 curl: Use-after-free triggered by an HTTP proxy deny response
  • BZ - 2166254 - curl fails large file downloads for some http2 server

References

  • https://access.redhat.com/security/updates/classification/#low
  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

Red Hat Enterprise Linux for x86_64 8

SRPM

curl-7.61.1-30.el8.src.rpm

SHA-256: 186eaaa84e0b2d4aeb0eb3dd70d59a2db1ff32dc95d7b11e968d927085c96bec

x86_64

curl-7.61.1-30.el8.x86_64.rpm

SHA-256: a326040d608dc9caf7558f1163ff04b21dabb23248298fa0eb0a37f02c15f509

curl-debuginfo-7.61.1-30.el8.i686.rpm

SHA-256: ab9196a7663501b32654ae4e4332b8efcdfadcdcb5d0ed9592f0659c50cf8394

curl-debuginfo-7.61.1-30.el8.x86_64.rpm

SHA-256: 8e2087d88b948a2e8750e4ab7fbbbe48f4acc05d234e85a9760bcc198b8cfe4b

curl-debugsource-7.61.1-30.el8.i686.rpm

SHA-256: 66665bcbdeb9dea2f121bcd904383defc05041287b2b4a11879962b128f432fb

curl-debugsource-7.61.1-30.el8.x86_64.rpm

SHA-256: b6090fbf1d698694fa216f9549bf08bb8771f158d30ce7c0ea0b83894de470c8

curl-minimal-debuginfo-7.61.1-30.el8.i686.rpm

SHA-256: c73b99013e6a1d1bbcf46a51e53871f2594562f45fd45f0fac6735fd9ab48074

curl-minimal-debuginfo-7.61.1-30.el8.x86_64.rpm

SHA-256: d3a7aa773f75af595f7a92e0187806b555e429cea052990c92df3401a8bd7db1

libcurl-7.61.1-30.el8.i686.rpm

SHA-256: 3b9c97995f9e206b781d309bb4ca2643d85da1c20cf56f3e53bfdf5414ff853c

libcurl-7.61.1-30.el8.x86_64.rpm

SHA-256: 889fc160071ee26879202f69ef8dbc66e05f49cb5e0b74c574bea26b265c7734

libcurl-debuginfo-7.61.1-30.el8.i686.rpm

SHA-256: b17d4543a9f31626aa49a6a7842d99842bea4b4cffe3f4c0ceee8369af4de994

libcurl-debuginfo-7.61.1-30.el8.x86_64.rpm

SHA-256: 3908c9f5fe45429a0122825c63a846c0ef25603d9deec2d70e2ec6777feaf4d3

libcurl-devel-7.61.1-30.el8.i686.rpm

SHA-256: dae30273ecf255bbb070a6abc8c7186509ba1c08bce45f2dd5bc093c668671bc

libcurl-devel-7.61.1-30.el8.x86_64.rpm

SHA-256: 0f4feadb4c75ee0fefa95cfd9de15966c256557f476888fbecbe88147186c99f

libcurl-minimal-7.61.1-30.el8.i686.rpm

SHA-256: 9e630b85724dae1dfb6fb65f79a5bc34606d5101f837a5b0cdfe7db497067e9b

libcurl-minimal-7.61.1-30.el8.x86_64.rpm

SHA-256: 4277a6d57efeb19181d332c934f813a1c8e77b6c9295bbfc4085631928bb9542

libcurl-minimal-debuginfo-7.61.1-30.el8.i686.rpm

SHA-256: 592eed416bf75e6ae8bc50462f833bec677c13a1feaed816f2f2912842a5a846

libcurl-minimal-debuginfo-7.61.1-30.el8.x86_64.rpm

SHA-256: 7fa3e0db574999e5657fe8ea257500a40059b588b95d0a19cc39c9c83ac37c2b

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

curl-7.61.1-30.el8.src.rpm

SHA-256: 186eaaa84e0b2d4aeb0eb3dd70d59a2db1ff32dc95d7b11e968d927085c96bec

s390x

curl-7.61.1-30.el8.s390x.rpm

SHA-256: 1107a21e1466dd8c9ebfdbbf3732f6c691856e2b2a7008a67e7b97c160880bf6

curl-debuginfo-7.61.1-30.el8.s390x.rpm

SHA-256: 2a070bc3863b7f97099b4f6b1ebeec0304172693d15c36b012538d966441a5f4

curl-debugsource-7.61.1-30.el8.s390x.rpm

SHA-256: 5660c3d053774ebd7c24b9985b5af7efc07a3cbf801f87209e4cf930bb348502

curl-minimal-debuginfo-7.61.1-30.el8.s390x.rpm

SHA-256: bf3c095ad79098c0f354b9019404e0097d3bc0d5311413b4f90bada838ce8e76

libcurl-7.61.1-30.el8.s390x.rpm

SHA-256: abdebe816a9fa19302688b38c528127dc8316ae3a9c2c5e38fc33ee6f72d471b

libcurl-debuginfo-7.61.1-30.el8.s390x.rpm

SHA-256: 96b60d4233bd95561c0cb3de5d424d7057a6c8402d6141698d611dc58d8961fb

libcurl-devel-7.61.1-30.el8.s390x.rpm

SHA-256: a101c1d38950632fd29bc2749047cc720ef63b1bf08913f9e987b1c87655bed9

libcurl-minimal-7.61.1-30.el8.s390x.rpm

SHA-256: f5992289d672bfa271d0d4642bf6cca2876ee1673cc019398d78ba5ac5a46300

libcurl-minimal-debuginfo-7.61.1-30.el8.s390x.rpm

SHA-256: 25fb0afa09ee375fac3e7eb5c8206f7c8873c2355193711300a21412864db61f

Red Hat Enterprise Linux for Power, little endian 8

SRPM

curl-7.61.1-30.el8.src.rpm

SHA-256: 186eaaa84e0b2d4aeb0eb3dd70d59a2db1ff32dc95d7b11e968d927085c96bec

ppc64le

curl-7.61.1-30.el8.ppc64le.rpm

SHA-256: c6aab3a21185aec651c9c70fa22a72563814024bb8f4049a0d05c08f551950fc

curl-debuginfo-7.61.1-30.el8.ppc64le.rpm

SHA-256: 5d0cb4b6f0ae315a37b07a0d3b4e185400fc4ac7901263ae86d76ba1c6c26d92

curl-debugsource-7.61.1-30.el8.ppc64le.rpm

SHA-256: 74725e869bde5ed5f6bf250f160aaa1da57ac0ebaf45743c263e1b99af6dda8a

curl-minimal-debuginfo-7.61.1-30.el8.ppc64le.rpm

SHA-256: d3986050d5b998129382fcd6a8e9020c8ce7453084a42fc75f18be2a413a2214

libcurl-7.61.1-30.el8.ppc64le.rpm

SHA-256: 329c6d72ed2c2c611807653ee7956363e1b6f9d0d44bb325d12857103f99d1f5

libcurl-debuginfo-7.61.1-30.el8.ppc64le.rpm

SHA-256: 2a4a7379372a31f3e23a60b406c3c6b90716dcb9f286ac8dc6aa4bb32041d62a

libcurl-devel-7.61.1-30.el8.ppc64le.rpm

SHA-256: 112f7c407a388a08684e459666e4f26c6ef6634c58352a78cbd8f71e2dc3810d

libcurl-minimal-7.61.1-30.el8.ppc64le.rpm

SHA-256: 23909be696b2b565ecbc4e2f8d36ec6e5dd9b4f0e755843efb8dce78b2d7c16b

libcurl-minimal-debuginfo-7.61.1-30.el8.ppc64le.rpm

SHA-256: effb2bb99414671f8c8b9c1c726b8bc9440e4269959a124c17d6b8c7224b7479

Red Hat Enterprise Linux for ARM 64 8

SRPM

curl-7.61.1-30.el8.src.rpm

SHA-256: 186eaaa84e0b2d4aeb0eb3dd70d59a2db1ff32dc95d7b11e968d927085c96bec

aarch64

curl-7.61.1-30.el8.aarch64.rpm

SHA-256: 58e05684e641d8cf01a3d5b963ff0f1b87d3ff6f24f9c6ed167872de60825fc1

curl-debuginfo-7.61.1-30.el8.aarch64.rpm

SHA-256: e356834254065b5532eff812a8bdddfc68086a2afc2f9d22f88b956c224af605

curl-debugsource-7.61.1-30.el8.aarch64.rpm

SHA-256: 252d4839eff8d9e10925c9e0f7be96ffa77b8713ca173133c0a5ed7bfb89e57c

curl-minimal-debuginfo-7.61.1-30.el8.aarch64.rpm

SHA-256: b55db336e116d3cd00517fc5e2a09c825f1ea07d534a97190fecfc28aadae74a

libcurl-7.61.1-30.el8.aarch64.rpm

SHA-256: ce0a7152290584fe6f6bd26e93c2c1654d4157ec7cd63284fb093944c9c88de1

libcurl-debuginfo-7.61.1-30.el8.aarch64.rpm

SHA-256: 80bd1d6bb7c4c7fd88c619c9d562638fe91b726677af5959f7a81c52b1e841db

libcurl-devel-7.61.1-30.el8.aarch64.rpm

SHA-256: 8fe72b994505eb840d3cac8882064b0619728fadd155178431052d99737ab481

libcurl-minimal-7.61.1-30.el8.aarch64.rpm

SHA-256: 65551ad505ca006b7cddc9e081231f2d5723ed3c63afb8c8e63f72ebea9aca52

libcurl-minimal-debuginfo-7.61.1-30.el8.aarch64.rpm

SHA-256: 0e09f2be35f0d13071b0536178ed1f61cf6214bb9158b9dd9c6bde84c75a8396

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Gentoo Linux Security Advisory 202310-12

Gentoo Linux Security Advisory 202310-12 - Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. Versions greater than or equal to 8.3.0-r2 are affected.

Red Hat Security Advisory 2023-4576-01

Red Hat Security Advisory 2023-4576-01 - VolSync is a Kubernetes operator that enables asynchronous replication of persistent volumes within a cluster, or across clusters.

Red Hat Security Advisory 2023-4488-01

Red Hat Security Advisory 2023-4488-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers.

RHSA-2023:3354: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP2 security update

An update is now available for Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2 on Red Hat Enterprise Linux versions 7 and 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2006-20001: A flaw was found in the mod_dav module of httpd. A specially crafted "If:" request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service. * CVE-2022-4304: A timing-based side channel exists in the Open...

RHSA-2023:3355: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP2 security update

Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2006-20001: A flaw was found in the mod_dav module of httpd. A specially crafted "If:" request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service. * CVE-2022-4304: A timing-based side channel exists in the OpenSSL RSA Decryption implementation, which could be sufficien...

Red Hat Security Advisory 2023-3326-01

Red Hat Security Advisory 2023-3326-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs.

Red Hat Security Advisory 2023-2963-01

Red Hat Security Advisory 2023-2963-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include file download and use-after-free vulnerabilities.

RHSA-2023:2478: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-35252: A vulnerability found in curl. This security flaw happens when curl is used to retrieve and parse cookies from an HTTP(S) server, where it accepts cookies using control codes (byte values below 32), and also when cookies that contain such control codes are later sent back to an HTTP(S) server, possibly causing the server to return a 400 response. This is...

RHSA-2023:2478: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-35252: A vulnerability found in curl. This security flaw happens when curl is used to retrieve and parse cookies from an HTTP(S) server, where it accepts cookies using control codes (byte values below 32), and also when cookies that contain such control codes are later sent back to an HTTP(S) server, possibly causing the server to return a 400 response. This is...

CVE-2023-28190: About the security content of macOS Ventura 13.3

A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in macOS Ventura 13.3. An app may be able to access user-sensitive data

CVE-2023-1731: Meinberg Security Advisory: [MBGSA-2023.02] LANTIME-Firmware V7.06.013

In LTOS versions prior to V7.06.013, the configuration file upload function would not correctly validate the input, which would allow an remote authenticated attacker with high privileges to execute arbitrary commands.

Microsoft Zero-Day Bugs Allow Security Feature Bypass

Security vendors urge organizations to fix the actively exploited bugs, in Microsoft Outlook and the Mark of the Web feature, immediately.

CVE-2023-22436: en/security-disclosure/2023/2023-02.md · OpenHarmony/security - Gitee.com

The kernel subsystem function check_permission_for_set_tokenid within OpenHarmony-v3.1.5 and prior versions has an UAF vulnerability which local attackers can exploit this vulnerability to escalate the privilege to root.

CVE-2022-43552

A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.

Debian Security Advisory 5330-1

Debian Linux Security Advisory 5330-1 - Two vulnerabilities were discovered in Curl, an easy-to-use client-side URL transfer library, which could result in denial of service or information disclosure.

Apple Security Advisory 2023-01-23-6

Apple Security Advisory 2023-01-23-6 - macOS Big Sur 11.7.3 addresses buffer overflow, bypass, and code execution vulnerabilities.

Apple Security Advisory 2023-01-23-5

Apple Security Advisory 2023-01-23-5 - macOS Monterey 12.6.3 addresses buffer overflow, bypass, code execution, and information leakage vulnerabilities.

Ubuntu Security Notice USN-5788-1

Ubuntu Security Notice 5788-1 - Hiroki Kurosawa discovered that curl incorrectly handled HSTS support when certain hostnames included IDN characters. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. It was discovered that curl incorrectly handled denials when using HTTP proxies. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code.

Scanvus now supports Vulners and Vulns.io VM Linux vulnerability detection APIs

Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]

Gentoo Linux Security Advisory 202212-01

Gentoo Linux Security Advisory 202212-1 - Multiple vulnerabilities have been found in curl, the worst of which could result in arbitrary code execution. Versions less than 7.86.0 are affected.

Red Hat Security Advisory 2022-8840-01

Red Hat Security Advisory 2022-8840-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include buffer overflow, bypass, code execution, denial of service, double free, and out of bounds read vulnerabilities.

Red Hat Security Advisory 2022-8841-01

Red Hat Security Advisory 2022-8841-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include buffer over-read, buffer overflow, bypass, code execution, denial of service, double free, integer overflow, out of bounds read, and use-after-free vulnerabilities.

RHSA-2022:8841: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP1 security update

An update is now available for Red Hat JBoss Core Services. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1292: openssl: c_rehash script allows command injection * CVE-2022-2068: openssl: the c_rehash script allows command injection * CVE-2022-22721: httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody * CVE-2022-23943: httpd: mod_sed: Read/write beyond bounds * CVE-2022-26377: httpd: mod_proxy_ajp: Possible request smuggling * CVE-2...

RHSA-2022:8840: Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP1 security update

An update is now available for Red Hat JBoss Core Services. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1292: openssl: c_rehash script allows command injection * CVE-2022-2068: openssl: the c_rehash script allows command injection * CVE-2022-22721: httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody * CVE-2022-23943: httpd: mod_sed: Read/write beyond bounds * CVE-2022-26377: httpd: mod_proxy_ajp: Possible request smuggling * CVE-20...

CVE-2022-35252

When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.

Ubuntu Security Notice USN-5587-1

Ubuntu Security Notice 5587-1 - Axel Chong discovered that when curl accepted and sent back cookies containing control bytes that a HTTP server might return a 400 response. A malicious cookie host could possibly use this to cause denial-of-service.