curl-7.61.1-18.el8

エラータID: AXSA:2021-1956:03

Release date: 
Monday, June 14, 2021 - 07:07
Subject: 
curl-7.61.1-18.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

* curl: FTP PASV command response can cause curl to connect to arbitrary host (CVE-2020-8284)
* curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used (CVE-2020-8285)
* curl: Inferior OCSP verification (CVE-2020-8286)
* curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set (CVE-2020-8231)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-8231
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.
CVE-2020-8284
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
CVE-2020-8285
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
CVE-2020-8286
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.

Solution: 

Update packages.

CVEs: 
CVE-2020-8231
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.
CVE-2020-8284
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.
CVE-2020-8285
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
CVE-2020-8286
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
Additional Info: 

N/A

Download: 

SRPMS
  1. curl-7.61.1-18.el8.src.rpm
    MD5: 22437bb9b7ab7ddc6a826fe8ee68d3d6
    SHA-256: 5b9dd330cddc4724e66bcbba01cbce5ab006600794c41511ba4a6554f49a874d
    Size: 2.39 MB

Asianux Server 8 for x86_64
  1. curl-7.61.1-18.el8.x86_64.rpm
    MD5: 8f2347ece264734bc4ebb46d0abda75c
    SHA-256: 989c878d824657a9f01bf63f46c779a26ab47bc92eeb708609b053707313b3aa
    Size: 352.32 kB
  2. libcurl-7.61.1-18.el8.x86_64.rpm
    MD5: 2ca4ea1cad983322fa5a34df7a0ab268
    SHA-256: b6bf6e9f838c5f698fb06d177c561fa6aba63faaf6a192bcedd466e489363b7d
    Size: 298.05 kB
  3. libcurl-devel-7.61.1-18.el8.x86_64.rpm
    MD5: 522d27004c9eb1190e541f8a2b893b32
    SHA-256: bfed438d2e6b94724e8f475be94b0d075950d6b8a2158382edc04f0baa972a2e
    Size: 831.68 kB
  4. libcurl-minimal-7.61.1-18.el8.x86_64.rpm
    MD5: 9667181c0b01de9fea32d211b410acbf
    SHA-256: 6f06f179d1fa900b87ef2433671a607f4a16dbb58fdc81e4cb242e37cced4c30
    Size: 285.10 kB
  5. libcurl-7.61.1-18.el8.i686.rpm
    MD5: 586b039fc02ab148944ac405124c2e00
    SHA-256: 06c12a336e98e74f5eb121098c4345e2d43b698c9a93aa2d8a5b3bf01c17355b
    Size: 326.15 kB
  6. libcurl-devel-7.61.1-18.el8.i686.rpm
    MD5: d8f1133bdefb2431fa0ccf82a63241a8
    SHA-256: 8f31eca6fa231cbbc90c72fa0290fd74635cc984b65744edf375c987345e60e1
    Size: 831.73 kB
  7. libcurl-minimal-7.61.1-18.el8.i686.rpm
    MD5: 24785f00156c56867ce9f831fbf6efe6
    SHA-256: b83d1b8fb6728b412021aa891fae438bc96cbdd7fed44c45d9207b3d75f2eb3e
    Size: 311.69 kB