An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2022-1675
Final
1.0
1.0
2022-05-28
Initial
2022-05-28
2022-05-28
openEuler SA Tool V1.0
2022-05-28
curl security update
An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.
cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.
Security Fix(es):
libcurl would reuse a previously created connection even when a TLS or SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several TLS and SSH settings were left out from the configuration match checks, making them match too easily.(CVE-2022-27782)
A vulnerability was found in curl. This issue occurs due to an erroneous function. A malicious server could make curl within Network Security Services (NSS) get stuck in a never-ending busy loop when trying to retrieve that information. This flaw allows an Infinite Loop, affecting system availability.(CVE-2022-27781)
An update for curl is now available for openEuler-20.03-LTS-SP1,openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.
openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Medium
curl
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1675
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-27782
https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-27781
https://nvd.nist.gov/vuln/detail/CVE-2022-27782
https://nvd.nist.gov/vuln/detail/CVE-2022-27781
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP3
openEuler-22.03-LTS
curl-7.71.1-14.oe1.aarch64.rpm
curl-debugsource-7.71.1-14.oe1.aarch64.rpm
curl-debuginfo-7.71.1-14.oe1.aarch64.rpm
libcurl-7.71.1-14.oe1.aarch64.rpm
libcurl-devel-7.71.1-14.oe1.aarch64.rpm
curl-7.71.1-14.oe1.aarch64.rpm
curl-debugsource-7.71.1-14.oe1.aarch64.rpm
curl-debuginfo-7.71.1-14.oe1.aarch64.rpm
libcurl-7.71.1-14.oe1.aarch64.rpm
libcurl-devel-7.71.1-14.oe1.aarch64.rpm
curl-7.79.1-6.oe2203.aarch64.rpm
curl-debugsource-7.79.1-6.oe2203.aarch64.rpm
curl-debuginfo-7.79.1-6.oe2203.aarch64.rpm
libcurl-7.79.1-6.oe2203.aarch64.rpm
libcurl-devel-7.79.1-6.oe2203.aarch64.rpm
curl-help-7.71.1-14.oe1.noarch.rpm
curl-help-7.71.1-14.oe1.noarch.rpm
curl-help-7.79.1-6.oe2203.noarch.rpm
curl-7.71.1-14.oe1.src.rpm
curl-7.71.1-14.oe1.src.rpm
curl-7.79.1-6.oe2203.src.rpm
curl-7.71.1-14.oe1.x86_64.rpm
curl-debugsource-7.71.1-14.oe1.x86_64.rpm
curl-debuginfo-7.71.1-14.oe1.x86_64.rpm
libcurl-7.71.1-14.oe1.x86_64.rpm
libcurl-devel-7.71.1-14.oe1.x86_64.rpm
curl-7.71.1-14.oe1.x86_64.rpm
curl-debugsource-7.71.1-14.oe1.x86_64.rpm
curl-debuginfo-7.71.1-14.oe1.x86_64.rpm
libcurl-7.71.1-14.oe1.x86_64.rpm
libcurl-devel-7.71.1-14.oe1.x86_64.rpm
curl-7.79.1-6.oe2203.x86_64.rpm
curl-debugsource-7.79.1-6.oe2203.x86_64.rpm
curl-debuginfo-7.79.1-6.oe2203.x86_64.rpm
libcurl-7.79.1-6.oe2203.x86_64.rpm
libcurl-devel-7.79.1-6.oe2203.x86_64.rpm
libcurl would reuse a previously created connection even when a TLS or SSH related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several TLS and SSH settings were left out from the configuration match checks, making them match too easily.
2022-05-28
CVE-2022-27782
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP3
openEuler-22.03-LTS
Medium
6.0
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
curl security update
2022-05-28
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1675
A vulnerability was found in curl. This issue occurs due to an erroneous function. A malicious server could make curl within Network Security Services (NSS) get stuck in a never-ending busy loop when trying to retrieve that information. This flaw allows an Infinite Loop, affecting system availability.
2022-05-28
CVE-2022-27781
openEuler-20.03-LTS-SP1
openEuler-20.03-LTS-SP3
openEuler-22.03-LTS
Medium
5.3
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
curl security update
2022-05-28
https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1675