curl-7.61.1-22.el8.4
エラータID: AXSA:2022-3789:02
The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
Security Fix(es):
* curl: HTTP compression denial of service (CVE-2022-32206)
* curl: FTP-KRB bad message verification (CVE-2022-32208)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2022-32206
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
CVE-2022-32208
When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.
Update packages.
curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.
When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.
N/A
SRPMS
- curl-7.61.1-22.el8.4.src.rpm
MD5: 617dd21e223e8dfde108cdd38d9ff466
SHA-256: d9e9928d088a0d95dbe07dcc571b4cd9aca2f44fbebdcbeb3c2452dd7c78b87c
Size: 2.42 MB
Asianux Server 8 for x86_64
- curl-7.61.1-22.el8.4.x86_64.rpm
MD5: a21ce9e76fa8d1ecdac31f280ac4e0a7
SHA-256: 5bae1634ee7383c6ec0f040bc358cdc2edcc5908a79ef4b23e6fae32888219ab
Size: 351.05 kB - libcurl-7.61.1-22.el8.4.x86_64.rpm
MD5: aec5804ea31964d7e762cdfaeb0e2aa5
SHA-256: 19dd09117fde6ff9bd2a5eccdb7be3add65745d6964c7d575de9a20fcfe60fd1
Size: 300.74 kB - libcurl-devel-7.61.1-22.el8.4.x86_64.rpm
MD5: 783a67190618955e713ff30a5f9111d2
SHA-256: 11f3fb427ceaba139fe82f3690448dc838cf874f60f98772bcc07c99212b78dc
Size: 833.21 kB - libcurl-minimal-7.61.1-22.el8.4.x86_64.rpm
MD5: e1561790a8dac06aafba5f934099865a
SHA-256: b7a670ebb4cafb606f1ff29b8018d6f5f1025e1fc242470cae2d20900bff7d87
Size: 287.45 kB - libcurl-7.61.1-22.el8.4.i686.rpm
MD5: 4185df1f0d5e8f1d8602b639b5a25586
SHA-256: ad5dee77a65003cf533e2b91a82d5766c48c841a2dc5bd67c5f797bfbdd31419
Size: 328.59 kB - libcurl-devel-7.61.1-22.el8.4.i686.rpm
MD5: 4164d2955ec84d5f07683cdd480c10b3
SHA-256: 565499f4eb9a8f87a304a0510118f3ece164a79900e877e4f70d398c3b44235a
Size: 833.27 kB - libcurl-minimal-7.61.1-22.el8.4.i686.rpm
MD5: 295de9014b3a2692449b3991109ad836
SHA-256: 5d806b818cc29e7ad03343f227b104f59e22f7434e9d4431e938d857565a5e92
Size: 313.92 kB