curl-7.76.1-26.el9_3.3

エラータID: AXSA:2024-7591:01

Release date: 
Friday, March 8, 2024 - 18:05
Subject: 
curl-7.76.1-26.el9_3.3
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.

Security Fix(es):

* curl: information disclosure by exploiting a mixed case flaw (CVE-2023-46218)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-46218
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.

Solution: 

Update packages.

CVEs: 
CVE-2023-46218
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.
Additional Info: 

N/A

Download: 

SRPMS
  1. curl-7.76.1-26.el9_3.3.src.rpm
    MD5: 8b23d79c2db36d4777105dc412fc4dc7
    SHA-256: 52e4310ae69b9dfdf58fb6499c49b95f0fab8cf87f162e1db7137511510c1912
    Size: 2.43 MB

Asianux Server 9 for x86_64
  1. curl-7.76.1-26.el9_3.3.x86_64.rpm
    MD5: f26f69bb10bd40d82b4260107e54ab31
    SHA-256: 5262f17a6a330f880bad5c64ef36f31f24d2beb8f92bf55e51ca1d6bdacb7818
    Size: 293.08 kB
  2. curl-minimal-7.76.1-26.el9_3.3.x86_64.rpm
    MD5: a0ac70b6339cf52c786e0a3724a15234
    SHA-256: 6f122c5528b941db61f08584ce425002f832918844b5c7781e52e42fd275abcc
    Size: 126.75 kB
  3. libcurl-7.76.1-26.el9_3.3.i686.rpm
    MD5: 204616944bef62f01ae0651816ee31b2
    SHA-256: 4922fd4a282bc4ee01cc4debef075ac50253d9eb164a6dcd02e18396dc2ae3a9
    Size: 309.92 kB
  4. libcurl-7.76.1-26.el9_3.3.x86_64.rpm
    MD5: 3543b81152903f8b91f4ad9f3e7443f5
    SHA-256: cae697c567ff2df765b0d911ee744578c0ca83b370d24b5f033c2630e681feb7
    Size: 283.86 kB
  5. libcurl-devel-7.76.1-26.el9_3.3.i686.rpm
    MD5: f585524e00b93482e804b51537a42992
    SHA-256: 7699660d0efd455f70209f42ba5a5c65b3c0565cb8a5a934cd6237fc6ebf733a
    Size: 0.96 MB
  6. libcurl-devel-7.76.1-26.el9_3.3.x86_64.rpm
    MD5: be6b41a97dad551c959a7749b601d75f
    SHA-256: 18464e11891ec661e328c5923ae45a818ea3292c419a3f1b0bc8c4350ecec51f
    Size: 0.96 MB
  7. libcurl-minimal-7.76.1-26.el9_3.3.i686.rpm
    MD5: 50661177b04d15301157ac71c8e51f68
    SHA-256: 57899c387def483281a2b5f9dbe21eb86a4eba27ad89a1bee4d6618b2b600293
    Size: 244.88 kB
  8. libcurl-minimal-7.76.1-26.el9_3.3.x86_64.rpm
    MD5: c1ccea171d4395f0ab5ca43e7e2bd201
    SHA-256: 7312ae07126303cec05accad90097b7b8eea8586319e550b67eb54ce9af6a0e7
    Size: 223.95 kB