Headline
RHSA-2023:1701: Red Hat Security Advisory: curl security update
An update for curl is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-23916: A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-04-11
Updated:
2023-04-11
RHSA-2023:1701 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: curl security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for curl is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
Security Fix(es):
- curl: HTTP multi-header compression denial of service (CVE-2023-23916)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- BZ - 2167815 - CVE-2023-23916 curl: HTTP multi-header compression denial of service
Red Hat Enterprise Linux for x86_64 9
SRPM
curl-7.76.1-19.el9_1.2.src.rpm
SHA-256: ad52652b5f16a0f9ed719fe9f87000762639764fa00d9158f865b30c40404838
x86_64
curl-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: 214f3cd97336be7ce64a2c6e1cc6cd49ba86a672e5a83ff3671d693a4d6a3d85
curl-debuginfo-7.76.1-19.el9_1.2.i686.rpm
SHA-256: 503925a4ed105a9e1b8b7f685722feefc80e5ba5b4ca35cd59408893d8a7f16e
curl-debuginfo-7.76.1-19.el9_1.2.i686.rpm
SHA-256: 503925a4ed105a9e1b8b7f685722feefc80e5ba5b4ca35cd59408893d8a7f16e
curl-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: 50a6e63c61c215b111c6168e0feac7e0e573736cb1a485d3e92fe0b693602423
curl-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: 50a6e63c61c215b111c6168e0feac7e0e573736cb1a485d3e92fe0b693602423
curl-debugsource-7.76.1-19.el9_1.2.i686.rpm
SHA-256: 1462b5c94d98f049e8fe8d6ff0719181fa37f0b0665d43f7ca58e88388a0cfc6
curl-debugsource-7.76.1-19.el9_1.2.i686.rpm
SHA-256: 1462b5c94d98f049e8fe8d6ff0719181fa37f0b0665d43f7ca58e88388a0cfc6
curl-debugsource-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: e636b7060d41ab81edff8804066f62218141c39606faf5ebf66975b8c2d185f5
curl-debugsource-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: e636b7060d41ab81edff8804066f62218141c39606faf5ebf66975b8c2d185f5
curl-minimal-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: 6e7991691adb27bf0c3c5d09888334f5f1b9354fb088babe75aa98d834e5d141
curl-minimal-debuginfo-7.76.1-19.el9_1.2.i686.rpm
SHA-256: 83774f91e7a0f19fab606a245db61638872256364ae7824242b73aa6898f0e47
curl-minimal-debuginfo-7.76.1-19.el9_1.2.i686.rpm
SHA-256: 83774f91e7a0f19fab606a245db61638872256364ae7824242b73aa6898f0e47
curl-minimal-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: f48efbbab580d3cb9cc7419f95357eb6f2a457bfeb50a394559b9aecc8f8bbb1
curl-minimal-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: f48efbbab580d3cb9cc7419f95357eb6f2a457bfeb50a394559b9aecc8f8bbb1
libcurl-7.76.1-19.el9_1.2.i686.rpm
SHA-256: 78b25527df16a40dd19f03423e51ced6f786624bbb2674d0fa0621169c7871d7
libcurl-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: 37395a5416ae47a23ade3b4cc889d8e843934b198d7233ed0aa44afa809782b1
libcurl-debuginfo-7.76.1-19.el9_1.2.i686.rpm
SHA-256: 0b86fcac5cc161f5554d601814b766a3713c5aa9bd1fd47dae1de66d96e5a4b9
libcurl-debuginfo-7.76.1-19.el9_1.2.i686.rpm
SHA-256: 0b86fcac5cc161f5554d601814b766a3713c5aa9bd1fd47dae1de66d96e5a4b9
libcurl-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: 5ab32af0d35141c9bc9fceb82f622d403932e55a6c4bbc09b6d7c95ad0f1335a
libcurl-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: 5ab32af0d35141c9bc9fceb82f622d403932e55a6c4bbc09b6d7c95ad0f1335a
libcurl-devel-7.76.1-19.el9_1.2.i686.rpm
SHA-256: 89fa8e3d5fed29e79672e9522c541341e4dc67427c4fb2aa26ef58d5cc53eeec
libcurl-devel-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: 51a0b0a67f1d2df2e8ed60b82b36d5955eb29862e155a3620d251c9d6f1e2775
libcurl-minimal-7.76.1-19.el9_1.2.i686.rpm
SHA-256: a5b940bb2a15a9980f997185d851d2d9ff20544f073adede7855a1e08302e346
libcurl-minimal-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: 98f26b0c2661019951bd8571397fd9bde2c3eaba59988c6a0007ddb9fac29f2b
libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.i686.rpm
SHA-256: 07facba8ec634cf06431973b3723cc5df9a526723d84d2bb75551b5d5852b31d
libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.i686.rpm
SHA-256: 07facba8ec634cf06431973b3723cc5df9a526723d84d2bb75551b5d5852b31d
libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: ba12bc9431394215db2af3a0c46d4694a253040205cd800507871ea150d198f4
libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.x86_64.rpm
SHA-256: ba12bc9431394215db2af3a0c46d4694a253040205cd800507871ea150d198f4
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
curl-7.76.1-19.el9_1.2.src.rpm
SHA-256: ad52652b5f16a0f9ed719fe9f87000762639764fa00d9158f865b30c40404838
s390x
curl-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: 793156b12f3e03b3e588a5efca9e6206a4d11cdd8b7d6e49a269cb520ce1cbb7
curl-debuginfo-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: e886a05a2adb122011cf86eacdbf5a50461497865cc617b811c03bd8a0f75ce7
curl-debuginfo-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: e886a05a2adb122011cf86eacdbf5a50461497865cc617b811c03bd8a0f75ce7
curl-debugsource-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: 98afaabeb48ce1c320be5f72f4c737de819dafac8873784aa7da8f7a589fc58a
curl-debugsource-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: 98afaabeb48ce1c320be5f72f4c737de819dafac8873784aa7da8f7a589fc58a
curl-minimal-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: 4f344e17524523a2d21ffc3d551fbe0fd8c9a106eaaafdf5cf59bed6f531efb9
curl-minimal-debuginfo-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: 4888a8dbda72c3bc929ef73544fbb11675d71d02e671fc6b681ae320c06fa48d
curl-minimal-debuginfo-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: 4888a8dbda72c3bc929ef73544fbb11675d71d02e671fc6b681ae320c06fa48d
libcurl-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: 4fa045d4f7568f363efde1818f70ee8a7e3d2940e4d549f5adb0e64dd3d28761
libcurl-debuginfo-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: 9aa85e31ae29598e4011331c377f1cfc680a34ce43f23fcdff4b3a95b39d4ee9
libcurl-debuginfo-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: 9aa85e31ae29598e4011331c377f1cfc680a34ce43f23fcdff4b3a95b39d4ee9
libcurl-devel-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: 23ca77937ea61ff9c7463f5a276c263dd8e96349b3bc42d84009a2aa5795c983
libcurl-minimal-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: fccebad79c92abd49c05f8ce90218394524e03c2358681e486c55d1e614f177b
libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: 04a23d66a4e2927fa3afef57eabea937d4f772f5778fb0dcb4fb7524364be0eb
libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.s390x.rpm
SHA-256: 04a23d66a4e2927fa3afef57eabea937d4f772f5778fb0dcb4fb7524364be0eb
Red Hat Enterprise Linux for Power, little endian 9
SRPM
curl-7.76.1-19.el9_1.2.src.rpm
SHA-256: ad52652b5f16a0f9ed719fe9f87000762639764fa00d9158f865b30c40404838
ppc64le
curl-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: 5583034ab0f5c79a25167c087627c73712f049a260735d809b62c6200110caaa
curl-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: 825896e7150bdd0683348b15abbc3a6be610af2b8a130f6f3d4850f6b85acc05
curl-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: 825896e7150bdd0683348b15abbc3a6be610af2b8a130f6f3d4850f6b85acc05
curl-debugsource-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: fd3af92edd2552b19999792ce6e44ee412f2823ba467183febf3023d1789722d
curl-debugsource-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: fd3af92edd2552b19999792ce6e44ee412f2823ba467183febf3023d1789722d
curl-minimal-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: d61428ec1895c75832c944f1777c59494cfed651b19241ee76ca42ad06bcffee
curl-minimal-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: 1893bb0ad61cfcc1144d0fd5473b52349a17e3e05367bd3ecdea33e397ec363c
curl-minimal-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: 1893bb0ad61cfcc1144d0fd5473b52349a17e3e05367bd3ecdea33e397ec363c
libcurl-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: ad2fc7af1f4c6662bac05336435339c18d82c853301f9861f1e7c77e2cc36bac
libcurl-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: 78eaf53ba404f2d89bab6710e6a28317ac9cba171849f2fe400890b07be79a77
libcurl-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: 78eaf53ba404f2d89bab6710e6a28317ac9cba171849f2fe400890b07be79a77
libcurl-devel-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: 1bf9e8c745095492cd944436385732b4953da97467db0ca55b67088fc15c5385
libcurl-minimal-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: d6957ed12de8c6263231c5fbeffd63f7bc4bd4d6bb6eeda21ba19736a7358b2b
libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: 306f7450670954f51f00110a99f6b1d3b5c4571b344a306e78bbbe10a8e8ec46
libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.ppc64le.rpm
SHA-256: 306f7450670954f51f00110a99f6b1d3b5c4571b344a306e78bbbe10a8e8ec46
Red Hat Enterprise Linux for ARM 64 9
SRPM
curl-7.76.1-19.el9_1.2.src.rpm
SHA-256: ad52652b5f16a0f9ed719fe9f87000762639764fa00d9158f865b30c40404838
aarch64
curl-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: 037080a45277fceb1628b91f50cdec31ae653247ff7f82b43fa03763bc6d723e
curl-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: 8d9e7f5c9cca2a9ff690c9df6e09e27c0216a697ce100de767d3bc036fe4359b
curl-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: 8d9e7f5c9cca2a9ff690c9df6e09e27c0216a697ce100de767d3bc036fe4359b
curl-debugsource-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: 4722056c2f7993148e73cca71b1eac7b07d0678f5c3c9a2f38269fa732decaf2
curl-debugsource-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: 4722056c2f7993148e73cca71b1eac7b07d0678f5c3c9a2f38269fa732decaf2
curl-minimal-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: e10aa273785b04a4ecee26ea73fa71328da025a382852c3938e2ce8e5b4d64fe
curl-minimal-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: cbbd9a29dec5ee86f278637129998f881aac3b0ccc622fcc74f1cfc1b991e369
curl-minimal-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: cbbd9a29dec5ee86f278637129998f881aac3b0ccc622fcc74f1cfc1b991e369
libcurl-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: 97aa53351e054a180b7a43102c8fd9e71e8a41d73b4275ce3c8c122f3c37551b
libcurl-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: bb4d90d3017324438344ba87cb304c7c89443ae340fde0046e8024fc60fb0b83
libcurl-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: bb4d90d3017324438344ba87cb304c7c89443ae340fde0046e8024fc60fb0b83
libcurl-devel-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: a5ffb8b9813f9e34aa6694bed8f5a76e47beae7d65cfb0e37cdaa689cd9cebb1
libcurl-minimal-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: d6210706718201eabcb57e4c8f094c30877778a0c4854dd84af961a1ba9454ed
libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: e27ac6c6779844cf39fa8a752abd58b7e274a7c4cb412cce750231451ce49ad1
libcurl-minimal-debuginfo-7.76.1-19.el9_1.2.aarch64.rpm
SHA-256: e27ac6c6779844cf39fa8a752abd58b7e274a7c4cb412cce750231451ce49ad1
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Gentoo Linux Security Advisory 202310-12 - Multiple vulnerabilities have been discovered in curl, the worst of which could result in arbitrary code execution. Versions greater than or equal to 8.3.0-r2 are affected.
An update for curl is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32221: A vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set if it previously used the same handle to issue a `PUT` request which used that callback...
Red Hat Security Advisory 2023-3460-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include a denial of service vulnerability.
An update is now available for Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 2 on Red Hat Enterprise Linux versions 7 and 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2006-20001: A flaw was found in the mod_dav module of httpd. A specially crafted "If:" request header can cause a memory read or write of a single zero byte due to a missing error check, resulting in a Denial of Service. * CVE-2022-4304: A timing-based side channel exists in the Open...
Secondary Scheduler Operator for Red Hat OpenShift 1.1.1 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2880: A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query ...
Red Hat Security Advisory 2023-2098-01 - Multicluster Engine for Kubernetes 2.0.8 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.
The Migration Toolkit for Containers (MTC) 1.7.9 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41724: A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition. * CVE-2022-41725: A flaw was found in Go, where it is vulnerable to a denial of service caused by...
Multicluster Engine for Kubernetes 2.0.8 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
Multicluster Engine for Kubernetes 2.1.6 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
Migration Toolkit for Applications 6.1.0 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3782: A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect ...
Red Hat Security Advisory 2023-1887-01 - Multicluster Engine for Kubernetes 2.2.3 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-1816-01 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Data Foundation. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform.
In LTOS versions prior to V7.06.013, the configuration file upload function would not correctly validate the input, which would allow an remote authenticated attacker with high privileges to execute arbitrary commands.
Red Hat Security Advisory 2023-1893-01 - Red Hat Multicluster Engine Hotfix Security Update for Console. Red Hat Product Security has rated this update as having a security impact of Critical.
Red Hat Multicluster Engine Hotfix Security Update for Console Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-29017: A flaw was found in vm2 where the component was not properly handling asynchronous errors. This flaw allows a remote, unauthenticated attacker to escape the restrictions of the sandbox and execute code on the host. * CVE-2023-29199: There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, al...
Multicluster Engine for Kubernetes 2.2.3 General Availability release images, which fix bugs and security updates container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25881: A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server. * CVE-2023-29017: A flaw was found in vm2 where the component...
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
An update for curl is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-23916: A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors.
Red Hat Security Advisory 2023-1448-01 - Red Hat OpenShift Service Mesh is the Red Hat distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers container images for the release.
Red Hat Security Advisory 2023-1453-01 - An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat Security Advisory 2023-1454-01 - An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Moderate.
An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant ...
Red Hat OpenShift Service Mesh Containers for 2.3.2 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41717: A flaw was found in the net/http library of the golang package. This flaw allows an attacker to cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server t...
Red Hat Security Advisory 2023-1140-01 - The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Issues addressed include a denial of service vulnerability.
An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-23916: A flaw was found in the Curl package. A malicious server can insert an unlimited number of compression steps. This decompression chain could result in out-of-memory errors.
Debian Linux Security Advisory 5365-1 - Patrick Monnerat discovered that Curl's support for "chained" HTTP compression algorithms was susceptible to denial of service.
Ubuntu Security Notice 5891-1 - Harry Sintonen discovered that curl incorrectly handled HSTS support when multiple URLs are requested serially. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10. Harry Sintonen discovered that curl incorrectly handled HSTS support when multiple URLs are requested in parallel. A remote attacker could possibly use this issue to cause curl to use unencrypted connections. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 22.10.
An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.