curl-7.76.1-19.el9.2
エラータID: AXSA:2023-5290:06
Release date:
Thursday, April 13, 2023 - 09:53
Subject:
curl-7.76.1-19.el9.2
Affected Channels:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
Security Fix(es):
* curl: HTTP multi-header compression denial of service (CVE-2023-23916)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2023-23916
An allocation of resources without limits or throttling vulnerability exists in curl
Solution:
Update packages.
CVEs:
CVE-2023-23916
An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
Additional Info:
N/A
Download:
SRPMS
- curl-7.76.1-19.el9.2.src.rpm
MD5: 298ef2bff828136c83f2ddf5c59ef55f
SHA-256: 7b2212471ffd91dd31879a2f1e88eae7d7d8c65dfdc0260ab64ede96b6cfde59
Size: 2.39 MB
Asianux Server 9 for x86_64
- curl-7.76.1-19.el9.2.x86_64.rpm
MD5: 0984f6c9501157e8e33edbe9cc9d3469
SHA-256: b3fb0cdbb530ea2b32e724b94a8081817fcc31df2ef67cf586ced4055fef2a4f
Size: 294.80 kB - curl-minimal-7.76.1-19.el9.2.x86_64.rpm
MD5: afb436b5193195cb45910b40cbf28716
SHA-256: b133c7c3613a93df57d5bc0cb192bd9b9f6c9c08007d23c4319c269c35e4cd43
Size: 127.67 kB - libcurl-7.76.1-19.el9.2.i686.rpm
MD5: 658bed603104a8199577356814b72c81
SHA-256: 12e9ea09f9c3d803a63c93088df1de9c1cc356946a11be3ba9028367e90f19ec
Size: 310.61 kB - libcurl-7.76.1-19.el9.2.x86_64.rpm
MD5: d2153c5c1144466d8ce132662a2cfe04
SHA-256: 65064d2d4f90a5a16a577aba3b0be2e6714a2d8eaf88716cc862e43ef4b6c020
Size: 284.82 kB - libcurl-devel-7.76.1-19.el9.2.i686.rpm
MD5: 53d12abcb6bd4fe78d36a76b9f3f3c1f
SHA-256: 6aee9513601f0658a36036775b96439c70113bb41788e3899b31384d053adc05
Size: 849.56 kB - libcurl-devel-7.76.1-19.el9.2.x86_64.rpm
MD5: 69f1585e7f264b593f58a5678a73488f
SHA-256: 870e9eb53f4b94a7122277e4411f8ec52aae3b2fff260591c64553b2daaf982f
Size: 849.56 kB - libcurl-minimal-7.76.1-19.el9.2.i686.rpm
MD5: 436f8143012dcf0bffef0e7551050dab
SHA-256: b759aa01c3648b7f221de9bf0f581dae63583fdf8649db9c53071ec9c0e91fdb
Size: 245.76 kB - libcurl-minimal-7.76.1-19.el9.2.x86_64.rpm
MD5: 37c3714b5bc3bbbb26ea3a2dba1fa52d
SHA-256: 0bfabcf3d56f40800bf397103da6de3afe3d7bea32ab0b43dd4fceea66da347c
Size: 225.37 kB