Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:3460: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2022-32206: A vulnerability was found in curl. This issue occurs because the number of acceptable “links” in the “decompression chain” was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps. This flaw leads to a denial of service, either by mistake or by a malicious actor.
  • CVE-2023-23916: A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors.
Red Hat Security Data
#vulnerability#web#linux#red_hat#dos#nodejs#js#java#kubernetes#ldap#aws#sap

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2023-06-06

Updated:

2023-06-06

RHSA-2023:3460 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: curl security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for curl is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

  • curl: HTTP compression denial of service (CVE-2022-32206)
  • curl: HTTP multi-header compression denial of service (CVE-2023-23916)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Red Hat Enterprise Linux Server - AUS 8.4 x86_64
  • Red Hat Enterprise Linux Server - TUS 8.4 x86_64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.4 x86_64

Fixes

  • BZ - 2099300 - CVE-2022-32206 curl: HTTP compression denial of service
  • BZ - 2167815 - CVE-2023-23916 curl: HTTP multi-header compression denial of service

Red Hat Enterprise Linux Server - AUS 8.4

SRPM

curl-7.61.1-18.el8_4.3.src.rpm

SHA-256: afa5ba9d700c90fce94f89ae766ea1abc4d9ccec637257e6750ab155a2815c33

x86_64

curl-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 08100ecbed9a8036bc78740617603cd48e65c0af0ed797665cfefdf2ba23815d

curl-debuginfo-7.61.1-18.el8_4.3.i686.rpm

SHA-256: ce5a86f83b37c06a3ade8089d556b1edc02f15bb04bebd471b725b92a6c25eba

curl-debuginfo-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 9d4940b782ebb34deb3a12c1340c9949887fee7946b90830cbcb7b1bbf7127d5

curl-debugsource-7.61.1-18.el8_4.3.i686.rpm

SHA-256: b7c82e5f597a5a7c09b64c1901b26db540da1c725b3fe86ec8c397b6a0d14b48

curl-debugsource-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: a19b829723de6f258916ff6c6c752e401e4e399cf5f6aa409f8b1f3a4105a4af

curl-minimal-debuginfo-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 856ecac69ba38cd8d34546b3dfbcbbe8b47095c633f9bb3008e2a744716ac6a5

curl-minimal-debuginfo-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 7f27d5864d75e8dd056958dadd4bcadbdcc7ac53b469697652dd84b50f73930e

libcurl-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 244fd1b3a9458529e95ac83f3987ee19953412c9638f9fec2a4a6cc54ae03345

libcurl-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 345eab816a440145054a321bdd0904761478e4d913f4add7e6ea317ae7271ca8

libcurl-debuginfo-7.61.1-18.el8_4.3.i686.rpm

SHA-256: b514c0b4ef7be1f9e41eaa5fc45e22bd1ad8ce842c28ac0ddb4f9cf047a4de74

libcurl-debuginfo-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 92b423f0c362424e92eb1ea1d0c08ee1ee6bccc0919d62add7a5440a99927525

libcurl-devel-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 8a4dc8d46487ac731abb2489b180e7a2a915f4de1c5678fa3428388253c6f93e

libcurl-devel-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 608a6056fd7815d3ca20929cc1b4a02040bba4f613e8475fcb574703aecbd107

libcurl-minimal-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 221c5f797a673380b6b9da352c246bfcb5c5c5119c1e980bdcf43183fbd6ae89

libcurl-minimal-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 48237ff6841b77f8e33677bdefa755d48284c65ea07ccc373c180201eb7b8c14

libcurl-minimal-debuginfo-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 52e58391a293b9d5f3fa12e6cd1b88084bee128b7b92207dccf7a019f77f18f8

libcurl-minimal-debuginfo-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: e2c0cef3bf5ca6974bd02bafd85d816132645169713081a5c0a6d823b9bf78ee

Red Hat Enterprise Linux Server - TUS 8.4

SRPM

curl-7.61.1-18.el8_4.3.src.rpm

SHA-256: afa5ba9d700c90fce94f89ae766ea1abc4d9ccec637257e6750ab155a2815c33

x86_64

curl-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 08100ecbed9a8036bc78740617603cd48e65c0af0ed797665cfefdf2ba23815d

curl-debuginfo-7.61.1-18.el8_4.3.i686.rpm

SHA-256: ce5a86f83b37c06a3ade8089d556b1edc02f15bb04bebd471b725b92a6c25eba

curl-debuginfo-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 9d4940b782ebb34deb3a12c1340c9949887fee7946b90830cbcb7b1bbf7127d5

curl-debugsource-7.61.1-18.el8_4.3.i686.rpm

SHA-256: b7c82e5f597a5a7c09b64c1901b26db540da1c725b3fe86ec8c397b6a0d14b48

curl-debugsource-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: a19b829723de6f258916ff6c6c752e401e4e399cf5f6aa409f8b1f3a4105a4af

curl-minimal-debuginfo-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 856ecac69ba38cd8d34546b3dfbcbbe8b47095c633f9bb3008e2a744716ac6a5

curl-minimal-debuginfo-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 7f27d5864d75e8dd056958dadd4bcadbdcc7ac53b469697652dd84b50f73930e

libcurl-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 244fd1b3a9458529e95ac83f3987ee19953412c9638f9fec2a4a6cc54ae03345

libcurl-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 345eab816a440145054a321bdd0904761478e4d913f4add7e6ea317ae7271ca8

libcurl-debuginfo-7.61.1-18.el8_4.3.i686.rpm

SHA-256: b514c0b4ef7be1f9e41eaa5fc45e22bd1ad8ce842c28ac0ddb4f9cf047a4de74

libcurl-debuginfo-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 92b423f0c362424e92eb1ea1d0c08ee1ee6bccc0919d62add7a5440a99927525

libcurl-devel-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 8a4dc8d46487ac731abb2489b180e7a2a915f4de1c5678fa3428388253c6f93e

libcurl-devel-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 608a6056fd7815d3ca20929cc1b4a02040bba4f613e8475fcb574703aecbd107

libcurl-minimal-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 221c5f797a673380b6b9da352c246bfcb5c5c5119c1e980bdcf43183fbd6ae89

libcurl-minimal-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 48237ff6841b77f8e33677bdefa755d48284c65ea07ccc373c180201eb7b8c14

libcurl-minimal-debuginfo-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 52e58391a293b9d5f3fa12e6cd1b88084bee128b7b92207dccf7a019f77f18f8

libcurl-minimal-debuginfo-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: e2c0cef3bf5ca6974bd02bafd85d816132645169713081a5c0a6d823b9bf78ee

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.4

SRPM

curl-7.61.1-18.el8_4.3.src.rpm

SHA-256: afa5ba9d700c90fce94f89ae766ea1abc4d9ccec637257e6750ab155a2815c33

ppc64le

curl-7.61.1-18.el8_4.3.ppc64le.rpm

SHA-256: cc92947b73127974857cb29a71aa172efd8fb666f36565c841446bd32cbb9eb5

curl-debuginfo-7.61.1-18.el8_4.3.ppc64le.rpm

SHA-256: d30905eddff1f564c692c3fcb8cc5430ae2375802fbc1c78325b5b57705f43da

curl-debugsource-7.61.1-18.el8_4.3.ppc64le.rpm

SHA-256: e951849962cb672430bca0d8512374d9e595b67706909cc76c074971f87e9615

curl-minimal-debuginfo-7.61.1-18.el8_4.3.ppc64le.rpm

SHA-256: 18123f18c62dd12e8b6d5f71e5da04874294086d3c2ecc085f21c8ecf17ae49b

libcurl-7.61.1-18.el8_4.3.ppc64le.rpm

SHA-256: cae6d161e5401f366ce8f42c5e4a53616d95101b6d1419cd5dd53c91e4133257

libcurl-debuginfo-7.61.1-18.el8_4.3.ppc64le.rpm

SHA-256: 31aed572c8a36e2b461307dba9afcdfa08c35de3954cd69865ea2069e90aa950

libcurl-devel-7.61.1-18.el8_4.3.ppc64le.rpm

SHA-256: 03fae5cba1b5af64459857a268d649479d372a1a71e60d86fc3f45fe37a946ad

libcurl-minimal-7.61.1-18.el8_4.3.ppc64le.rpm

SHA-256: 18682e3026842d169266a6dd2ebc767f9476ccdd9d0b326059f08b2c1da4eff2

libcurl-minimal-debuginfo-7.61.1-18.el8_4.3.ppc64le.rpm

SHA-256: 8e4480ae0abb06a5808805d62bd29980c0343e7aa846062b360c3d610cc99c16

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.4

SRPM

curl-7.61.1-18.el8_4.3.src.rpm

SHA-256: afa5ba9d700c90fce94f89ae766ea1abc4d9ccec637257e6750ab155a2815c33

x86_64

curl-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 08100ecbed9a8036bc78740617603cd48e65c0af0ed797665cfefdf2ba23815d

curl-debuginfo-7.61.1-18.el8_4.3.i686.rpm

SHA-256: ce5a86f83b37c06a3ade8089d556b1edc02f15bb04bebd471b725b92a6c25eba

curl-debuginfo-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 9d4940b782ebb34deb3a12c1340c9949887fee7946b90830cbcb7b1bbf7127d5

curl-debugsource-7.61.1-18.el8_4.3.i686.rpm

SHA-256: b7c82e5f597a5a7c09b64c1901b26db540da1c725b3fe86ec8c397b6a0d14b48

curl-debugsource-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: a19b829723de6f258916ff6c6c752e401e4e399cf5f6aa409f8b1f3a4105a4af

curl-minimal-debuginfo-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 856ecac69ba38cd8d34546b3dfbcbbe8b47095c633f9bb3008e2a744716ac6a5

curl-minimal-debuginfo-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 7f27d5864d75e8dd056958dadd4bcadbdcc7ac53b469697652dd84b50f73930e

libcurl-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 244fd1b3a9458529e95ac83f3987ee19953412c9638f9fec2a4a6cc54ae03345

libcurl-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 345eab816a440145054a321bdd0904761478e4d913f4add7e6ea317ae7271ca8

libcurl-debuginfo-7.61.1-18.el8_4.3.i686.rpm

SHA-256: b514c0b4ef7be1f9e41eaa5fc45e22bd1ad8ce842c28ac0ddb4f9cf047a4de74

libcurl-debuginfo-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 92b423f0c362424e92eb1ea1d0c08ee1ee6bccc0919d62add7a5440a99927525

libcurl-devel-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 8a4dc8d46487ac731abb2489b180e7a2a915f4de1c5678fa3428388253c6f93e

libcurl-devel-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 608a6056fd7815d3ca20929cc1b4a02040bba4f613e8475fcb574703aecbd107

libcurl-minimal-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 221c5f797a673380b6b9da352c246bfcb5c5c5119c1e980bdcf43183fbd6ae89

libcurl-minimal-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: 48237ff6841b77f8e33677bdefa755d48284c65ea07ccc373c180201eb7b8c14

libcurl-minimal-debuginfo-7.61.1-18.el8_4.3.i686.rpm

SHA-256: 52e58391a293b9d5f3fa12e6cd1b88084bee128b7b92207dccf7a019f77f18f8

libcurl-minimal-debuginfo-7.61.1-18.el8_4.3.x86_64.rpm

SHA-256: e2c0cef3bf5ca6974bd02bafd85d816132645169713081a5c0a6d823b9bf78ee

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Gentoo Linux Security Advisory 202310-12

Gentoo Linux Security Advisory 202310-12 - Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. Versions greater than or equal to 8.3.0-r2 are affected.

CVE-2023-22062: Oracle Critical Patch Update Advisory - July 2023

Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Repository). The supported version that is affected is 11.2.13.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. While the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hyperion Financial Reporting accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hyperion Financial Reporting. CVSS 3.1 Base Score 8.5 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L).

RHSA-2023:4139: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32221: A vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set if it previously used the same handle to issue a `PUT` request which used that callback...

Red Hat Security Advisory 2023-0584-01

Red Hat Security Advisory 2023-0584-01 - Secondary Scheduler Operator for Red Hat OpenShift 1.1.1. Issues addressed include a denial of service vulnerability.

RHSA-2023:0584: Red Hat Security Advisory: Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 security update

Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query ...

Red Hat Security Advisory 2023-2107-01

Red Hat Security Advisory 2023-2107-01 - The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-2098-01

Red Hat Security Advisory 2023-2098-01 - Multicluster Engine for Kubernetes 2.0.8 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

RHSA-2023:2107: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.9 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by...

RHSA-2023:2098: Red Hat Security Advisory: Multicluster Engine for Kubernetes 2.0.8 security updates and bug fixes

Multicluster Engine for Kubernetes 2.0.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.

RHSA-2023:2041: Red Hat Security Advisory: Migration Toolkit for Applications security and bug fix update

Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect ...

Red Hat Security Advisory 2023-2023-01

Red Hat Security Advisory 2023-2023-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.

RHSA-2023:2023: Red Hat Security Advisory: Red Hat OpenShift Data Foundation 4.11.7 Bug Fix and security update

Updated images that fix several bugs are now available for Red Hat OpenShift Data Foundation 4.11.7 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-40186: A flaw was found in HashiCorp Vault and Vault Enterprise, where they could allow a locally authenticated attacker to gain unauthorized access to the system, caused by a flaw in the alias naming schema implementation for mount accessors with shared alias n...

Red Hat Security Advisory 2023-1639-01

Red Hat Security Advisory 2023-1639-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.

RHSA-2022:6507: Red Hat Security Advisory: Red Hat Advanced Cluster Management 2.5.2 security fixes and bug fixes

Red Hat Advanced Cluster Management for Kubernetes 2.5.2 General Availability release images, which fix security issues and bugs. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-36067: vm2: Sandbox Escape in vm2

Red Hat Security Advisory 2022-6430-01

Red Hat Security Advisory 2022-6430-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2022-6182-01

Red Hat Security Advisory 2022-6182-01 - Openshift Logging Bug Fix Release. Issue addressed include a stack exhaustion vulnerability.

Red Hat Security Advisory 2022-6370-01

Red Hat Security Advisory 2022-6370-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.0 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix security issues and several bugs. Issues addressed include a denial of service vulnerability.

RHSA-2022:6344: Red Hat Security Advisory: Logging Subsystem 5.5.1 Security and Bug Fix Update

Logging Subsystem 5.5.1 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read * CVE-2022-32148: golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working

Red Hat Security Advisory 2022-6157-01

Red Hat Security Advisory 2022-6157-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include a denial of service vulnerability.

RHSA-2022:6159: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32206: curl: HTTP compression denial of service * CVE-2022-32208: curl: FTP-KRB bad message verification

RHSA-2022:6157: Red Hat Security Advisory: curl security update

An update for curl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32206: curl: HTTP compression denial of service * CVE-2022-32207: curl: Unpreserved file permissions * CVE-2022-32208: curl: FTP-KRB bad message verification

CVE-2022-32206

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.

Ubuntu Security Notice USN-5495-1

Ubuntu Security Notice 5495-1 - Harry Sintonen discovered that curl incorrectly handled certain cookies. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 21.10, and Ubuntu 22.04 LTS. Harry Sintonen discovered that curl incorrectly handled certain HTTP compressions. An attacker could possibly use this issue to cause a denial of service. Harry Sintonen incorrectly handled certain file permissions. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 21.10, and Ubuntu 22.04 LTS.