curl-7.76.1-23.el9.1

エラータID: AXSA:2023-6065:09

Release date: 
Friday, June 16, 2023 - 04:21
Subject: 
curl-7.76.1-23.el9.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

* curl: FTP too eager connection reuse (CVE-2023-27535)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-27535
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.

Solution: 

Update packages.

CVEs: 
CVE-2023-27535
An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.
Additional Info: 

N/A

Download: 

SRPMS
  1. curl-7.76.1-23.el9.1.src.rpm
    MD5: a00a4b26cf9f77bda15e72bfd22dfbd9
    SHA-256: 835c74161273688b62106b724b9ee4fd6cf1f2d3ec2cab7a96fe472b417eb863
    Size: 2.40 MB

Asianux Server 9 for x86_64
  1. curl-7.76.1-23.el9.1.x86_64.rpm
    MD5: 0fd426fe291b12c7d4664d3f9e0ba42f
    SHA-256: c5687099025a2db318993872b4ded5d3c56997b46b610319fb2ee2318bd3e18d
    Size: 294.19 kB
  2. curl-minimal-7.76.1-23.el9.1.x86_64.rpm
    MD5: 1f174baddebe8cfcd89af18b7f49b14b
    SHA-256: 8aa91b3e681a0e35bb3b1aeb7ed96c06e0133f5037634e9f38ad0eca3078b9bf
    Size: 127.91 kB
  3. libcurl-7.76.1-23.el9.1.i686.rpm
    MD5: ff7b1c9aa28b8d53a7626f2f54d2ec58
    SHA-256: 01969e7f7b4e36725bf3d52adc0aa8020fb5ecc160a61efa3e16282c8b640000
    Size: 311.40 kB
  4. libcurl-7.76.1-23.el9.1.x86_64.rpm
    MD5: 7f0d8f2660525032d0b95d5427c01bc2
    SHA-256: 1856a1a9e29ddac07ce19eb806f7a297dd2d12f5af018092450ca0947065b0ff
    Size: 284.99 kB
  5. libcurl-devel-7.76.1-23.el9.1.i686.rpm
    MD5: ab74a12d225f3cde46dd3268332d4fea
    SHA-256: e6d80ae346d4305f803ab17faa7df71c3934a93ca9310723bca3a758697124a0
    Size: 849.77 kB
  6. libcurl-devel-7.76.1-23.el9.1.x86_64.rpm
    MD5: e2b61c53479f7541135c42205fbc068d
    SHA-256: 5f7fb92dd34d8b1b6c927ddf3bff0239eb74a462eeef6af82e68d2df16d1001a
    Size: 849.82 kB
  7. libcurl-minimal-7.76.1-23.el9.1.i686.rpm
    MD5: df8755247b978b667415a454342bd6d9
    SHA-256: a009a67458dffcd091bbbf66925936c0a8744633079bac0c7af85d6a3a12d55a
    Size: 246.33 kB
  8. libcurl-minimal-7.76.1-23.el9.1.x86_64.rpm
    MD5: 1145ccca3d4d8b733c1c971133dc9103
    SHA-256: 2ab99b0ad2546a91903a65c62933945b5a37bca1167d62b4cb64de5c179d0885
    Size: 225.95 kB