Univention Bugzilla – Bug 55140
curl: Multiple issues (5.0)
Last modified: 2022-08-31 12:19:38 CEST
New Debian curl 7.64.0-4+deb10u3 fixes: This update addresses the following issues: * TELNET stack contents disclosure (CVE-2021-22898) * bad connection reuse due to flawed path name checks (CVE-2021-22924) * protocol downgrade required TLS bypassed (CVE-2021-22946) * STARTTLS protocol injection via MITM (CVE-2021-22947) * OAUTH2 bearer bypass in connection re-use (CVE-2022-22576) * auth/cookie leak on redirect (CVE-2022-27776) * CERTINFO never-ending busy-loop (CVE-2022-27781) * TLS and SSH connection too eager reuse (CVE-2022-27782) * HTTP compression denial of service (CVE-2022-32206) * FTP-KRB bad message verification (CVE-2022-32208)
--- mirror/ftp/pool/main/c/curl/curl_7.64.0-4+deb10u2.dsc +++ apt/ucs_5.0-0-errata5.0-2/source/curl_7.64.0-4+deb10u3.dsc @@ -1,3 +1,14 @@ +7.64.0-4+deb10u3 [Sun, 28 Aug 2022 17:35:03 +0200] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2021-22898, CVE-2021-22924, CVE-2021-22946, CVE-2021-22947 + CVE-2022-22576, CVE-2022-27776, CVE-2022-27781, CVE-2022-32206, + CVE-2022-32208, CVE-2022-27782. + * Multiple security vulnerabilities have been discovered in cURL, an URL + transfer library. These flaws may allow remote attackers to obtain + sensitive information, leak authentication or cookie header data or + facilitate a denial of service attack. + 7.64.0-4+deb10u2 [Tue, 30 Mar 2021 21:56:00 +0100] Alessandro Ghedini <ghedo@debian.org>: * Fix partial password leak over DNS on HTTP redirect as per CVE-2020-8169 <http://piuparts.knut.univention.de/5.0-2/#358382355040465232>
OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-2] 234705b385 Bug #55140: curl 7.64.0-4+deb10u3 doc/errata/staging/curl.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x394>