curl-7.76.1-14.el9.4.ML.1
エラータID: AXSA:2022-4366:04
リリース日:
2022/12/09 Friday - 08:05
題名:
curl-7.76.1-14.el9.4.ML.1
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- curl には、接続時に設定された認証情報と同じもので認証されている
ことを確認せずに OAUTH2 接続を再利用できる問題があるため、攻撃者に
よる認証の回避を可能とする脆弱性が存在します。(CVE-2022-22576)
- curl には、保護された HTTP(S) 通信のリダイレクト時の認証情報の
保護に問題があるため、攻撃者により認証情報が抽出され、他のプロトコル
もしくはポート番号を利用するサービスへの認証情報の漏洩を可能とする
脆弱性が存在します。(CVE-2022-27774)
- curl には、認証情報の保護に問題があるため、同じホスト上の他の
ポート番号のアプリケーションへHTTP リダイレクトの認証情報や Cookie
ヘッダ情報の漏洩を可能とする脆弱性が存在します。(CVE-2022-27776)
- libcurl には、TLS や SSH 接続の一部の設定が変更された場合に本来
再利用できない接続を再利用する問題があるため、攻撃者による認証の
回避を可能とする脆弱性が存在します(CVE-2022-27782)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-22576
An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).
An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).
CVE-2022-27774
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.
CVE-2022-27776
A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.
A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.
CVE-2022-27782
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.
追加情報:
N/A
ダウンロード:
SRPMS
- curl-7.76.1-14.el9.4.ML.1.src.rpm
MD5: d350ea4971cfecb341423874e7ad62df
SHA-256: 48547020b1617f1df106611e949cb91e6e30d52084871b5987978b634d28ee5f
Size: 2.38 MB
Asianux Server 9 for x86_64
- curl-7.76.1-14.el9.4.ML.1.x86_64.rpm
MD5: 9e56f16cd878c05f8310a24243681d6c
SHA-256: 72ac5aa36ff7a79ec447da2077a65dbd9f6c55a0c12352caf20a31ae821857d5
Size: 294.71 kB - curl-minimal-7.76.1-14.el9.4.ML.1.x86_64.rpm
MD5: 37441d73c318f09b63260ccf09580ba6
SHA-256: 3aadf1fd7ad33ab36da9cf30fd91b0a7d2e6465c41fc06607f9f2b6e855451c5
Size: 128.36 kB - libcurl-7.76.1-14.el9.4.ML.1.x86_64.rpm
MD5: 7710c9ef36e8f5ada61cab9397d46a5a
SHA-256: cc7543a39c3ca948a6fa521880ec7fa7610e865c83c39a601d169f038387730b
Size: 284.42 kB - libcurl-devel-7.76.1-14.el9.4.ML.1.x86_64.rpm
MD5: 2921bbe57dbaca8b1dcf0b25bda157f5
SHA-256: bff261f4edb520bdaf6db500c578ba8eb81f2a58e598d4d6b1bf81c005f44575
Size: 849.95 kB - libcurl-minimal-7.76.1-14.el9.4.ML.1.x86_64.rpm
MD5: 968b748ab5faf6623f5c4cef281be5b4
SHA-256: 8c1171fe4c9819f5ca14f431e096c1ef79b0daab8cdd708e8492e887d460f93a
Size: 225.73 kB - libcurl-7.76.1-14.el9.4.ML.1.i686.rpm
MD5: efcf3728c77d0aa21230be5edcd69b71
SHA-256: 4dfabb9de90457508e83e86caeb276154523c3d913641a426cef2673223a0491
Size: 310.71 kB - libcurl-devel-7.76.1-14.el9.4.ML.1.i686.rpm
MD5: b944ccbee77d9debdd5b42527dc36ce3
SHA-256: 7c74ee158aa042494025bf657f5817f6c0f7496c38fa8b03449a25a38a89baae
Size: 849.99 kB - libcurl-minimal-7.76.1-14.el9.4.ML.1.i686.rpm
MD5: c898e8949d7e1611db094184138dc612
SHA-256: 98c7dd329b27ed1e120d251dc2a345914bc0f0aa6a2e2ee2175fa37af6cc2100
Size: 246.04 kB
English