curl-7.61.1-22.el8.4

エラータID: AXSA:2022-3789:02

Release date: 
Friday, September 2, 2022 - 08:55
Subject: 
curl-7.61.1-22.el8.4
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

* curl: HTTP compression denial of service (CVE-2022-32206)
* curl: FTP-KRB bad message verification (CVE-2022-32208)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-32206
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
CVE-2022-32208
When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

Solution: 

Update packages.

CVEs: 
CVE-2022-32206
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
CVE-2022-32208
When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.
Additional Info: 

N/A

Download: 

SRPMS
  1. curl-7.61.1-22.el8.4.src.rpm
    MD5: 617dd21e223e8dfde108cdd38d9ff466
    SHA-256: d9e9928d088a0d95dbe07dcc571b4cd9aca2f44fbebdcbeb3c2452dd7c78b87c
    Size: 2.42 MB

Asianux Server 8 for x86_64
  1. curl-7.61.1-22.el8.4.x86_64.rpm
    MD5: a21ce9e76fa8d1ecdac31f280ac4e0a7
    SHA-256: 5bae1634ee7383c6ec0f040bc358cdc2edcc5908a79ef4b23e6fae32888219ab
    Size: 351.05 kB
  2. libcurl-7.61.1-22.el8.4.x86_64.rpm
    MD5: aec5804ea31964d7e762cdfaeb0e2aa5
    SHA-256: 19dd09117fde6ff9bd2a5eccdb7be3add65745d6964c7d575de9a20fcfe60fd1
    Size: 300.74 kB
  3. libcurl-devel-7.61.1-22.el8.4.x86_64.rpm
    MD5: 783a67190618955e713ff30a5f9111d2
    SHA-256: 11f3fb427ceaba139fe82f3690448dc838cf874f60f98772bcc07c99212b78dc
    Size: 833.21 kB
  4. libcurl-minimal-7.61.1-22.el8.4.x86_64.rpm
    MD5: e1561790a8dac06aafba5f934099865a
    SHA-256: b7a670ebb4cafb606f1ff29b8018d6f5f1025e1fc242470cae2d20900bff7d87
    Size: 287.45 kB
  5. libcurl-7.61.1-22.el8.4.i686.rpm
    MD5: 4185df1f0d5e8f1d8602b639b5a25586
    SHA-256: ad5dee77a65003cf533e2b91a82d5766c48c841a2dc5bd67c5f797bfbdd31419
    Size: 328.59 kB
  6. libcurl-devel-7.61.1-22.el8.4.i686.rpm
    MD5: 4164d2955ec84d5f07683cdd480c10b3
    SHA-256: 565499f4eb9a8f87a304a0510118f3ece164a79900e877e4f70d398c3b44235a
    Size: 833.27 kB
  7. libcurl-minimal-7.61.1-22.el8.4.i686.rpm
    MD5: 295de9014b3a2692449b3991109ad836
    SHA-256: 5d806b818cc29e7ad03343f227b104f59e22f7434e9d4431e938d857565a5e92
    Size: 313.92 kB