curl-7.61.1-18.el8.1

エラータID: AXSA:2021-2446:04

Release date: 
Monday, September 27, 2021 - 04:37
Subject: 
curl-7.61.1-18.el8.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

* curl: Content not matching hash in Metalink is not being discarded (CVE-2021-22922)
* curl: Metalink download sends credentials (CVE-2021-22923)
* curl: Bad connection reuse due to flawed path name checks (CVE-2021-22924)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-22922
When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.
CVE-2021-22923
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
CVE-2021-22924
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.

Solution: 

Update packages.

CVEs: 
CVE-2021-22922
When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.
CVE-2021-22923
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
CVE-2021-22924
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
Additional Info: 

N/A

Download: 

SRPMS
  1. curl-7.61.1-18.el8.1.src.rpm
    MD5: aee9f1d52a229a72e38bf2983f9b6c74
    SHA-256: a3904901d33720a983870671253233f01686805bd8273ff99357f5da79e87c1c
    Size: 2.39 MB

Asianux Server 8 for x86_64
  1. curl-7.61.1-18.el8.1.x86_64.rpm
    MD5: dfec34051bb9910dd4e8462af4d586d3
    SHA-256: 83dd328007e528d23f01a77ff68b0aff67e327c460477e2a09abb068d8056b2f
    Size: 349.88 kB
  2. libcurl-7.61.1-18.el8.1.x86_64.rpm
    MD5: f9d35c8c4a1f1ef0c06ffad324ab8cad
    SHA-256: 2f910772fed398d4e0874532d194eeed1567dcedfb8f81739e366df37fd01f45
    Size: 298.44 kB
  3. libcurl-devel-7.61.1-18.el8.1.x86_64.rpm
    MD5: 1428bd78c5ecfea8e6feea71b4a777b4
    SHA-256: 96e795bc436ecad6c3d9a06b0ced8ccb518a10585101b34d1c2c8023c58dfbfc
    Size: 832.01 kB
  4. libcurl-minimal-7.61.1-18.el8.1.x86_64.rpm
    MD5: 89518e24670b2e6579abfc1b3459308f
    SHA-256: fe0c8805a808104b78ef7f967a4451944b12e112d9b29ac5e1d1ed19db1e3ed9
    Size: 285.47 kB
  5. libcurl-7.61.1-18.el8.1.i686.rpm
    MD5: 1ba399e5ea9b9d13cea1ddba377b50d5
    SHA-256: 0423b5493be8d2bbbbef5632906338cef848b68027b1b4caa713b87bda2a8f56
    Size: 326.52 kB
  6. libcurl-devel-7.61.1-18.el8.1.i686.rpm
    MD5: 19167399ba5ffb1792f5503c6717073c
    SHA-256: b42b2b8520dc39bdbb0a51520c0d0ba5c1d35750995e770c6e2ef4ab8916427d
    Size: 832.05 kB
  7. libcurl-minimal-7.61.1-18.el8.1.i686.rpm
    MD5: 923603afd3bb7a2ddd0dd176b243e6ac
    SHA-256: 87d744ed86aabb94756d8b90eb46f0207b3ec94090664c3343a14569035d1905
    Size: 312.12 kB