curl-7.61.1-18.el8.1
エラータID: AXSA:2021-2446:04
リリース日:
2021/09/27 Monday - 04:37
題名:
curl-7.61.1-18.el8.1
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- curl には Metalink 機能を使ってコンテンツをダウンロードした後にファイルハッシュの
ミスマッチを処理する方法に問題があり、ホスティングサーバーを制御している悪意のある
攻撃者がユーザーを欺き、悪意あるコンテンツをダウンロードさせる脆弱性があります。
(CVE-2021-22922)
- curl には Metalink 機能を使ってコンテンツをダウンロードする際、Metalink XMLを
ダウンロードするためにユーザー名とパスワードを使用しますが、curl がコンテンツを
ダウンロード、またはダウンロードしようとするサーバーに同じ認証情報を送ってしまう
問題があり、悪意のある攻撃者がユーザーに知られることなく認証情報にアクセス
出来てしまう脆弱性があります。(CVE-2021-22923)
- libcurl には、以前に使用したコネクションを、設定が一致した場合にその後の転送に
再利用できるようコネクションプールに保存しますが、ロジックのエラーにより
マッチング関数が『発行者証明書』をアカウントに取り入れず、関連するパスを
大文字小文字を考慮せずに比較する問題があり、誤った接続を再利用してしまう
脆弱性があります。(CVE-2021-22924)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2021-22922
When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.
When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.
CVE-2021-22923
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.
CVE-2021-22924
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.
追加情報:
N/A
ダウンロード:
SRPMS
- curl-7.61.1-18.el8.1.src.rpm
MD5: aee9f1d52a229a72e38bf2983f9b6c74
SHA-256: a3904901d33720a983870671253233f01686805bd8273ff99357f5da79e87c1c
Size: 2.39 MB
Asianux Server 8 for x86_64
- curl-7.61.1-18.el8.1.x86_64.rpm
MD5: dfec34051bb9910dd4e8462af4d586d3
SHA-256: 83dd328007e528d23f01a77ff68b0aff67e327c460477e2a09abb068d8056b2f
Size: 349.88 kB - libcurl-7.61.1-18.el8.1.x86_64.rpm
MD5: f9d35c8c4a1f1ef0c06ffad324ab8cad
SHA-256: 2f910772fed398d4e0874532d194eeed1567dcedfb8f81739e366df37fd01f45
Size: 298.44 kB - libcurl-devel-7.61.1-18.el8.1.x86_64.rpm
MD5: 1428bd78c5ecfea8e6feea71b4a777b4
SHA-256: 96e795bc436ecad6c3d9a06b0ced8ccb518a10585101b34d1c2c8023c58dfbfc
Size: 832.01 kB - libcurl-minimal-7.61.1-18.el8.1.x86_64.rpm
MD5: 89518e24670b2e6579abfc1b3459308f
SHA-256: fe0c8805a808104b78ef7f967a4451944b12e112d9b29ac5e1d1ed19db1e3ed9
Size: 285.47 kB - libcurl-7.61.1-18.el8.1.i686.rpm
MD5: 1ba399e5ea9b9d13cea1ddba377b50d5
SHA-256: 0423b5493be8d2bbbbef5632906338cef848b68027b1b4caa713b87bda2a8f56
Size: 326.52 kB - libcurl-devel-7.61.1-18.el8.1.i686.rpm
MD5: 19167399ba5ffb1792f5503c6717073c
SHA-256: b42b2b8520dc39bdbb0a51520c0d0ba5c1d35750995e770c6e2ef4ab8916427d
Size: 832.05 kB - libcurl-minimal-7.61.1-18.el8.1.i686.rpm
MD5: 923603afd3bb7a2ddd0dd176b243e6ac
SHA-256: 87d744ed86aabb94756d8b90eb46f0207b3ec94090664c3343a14569035d1905
Size: 312.12 kB
English