[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Accepted curl 7.74.0-1.3+deb11u7~bpo11+1 (source) into buster-backports



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 25 Mar 2023 22:13:33 +0000
Source: curl
Built-For-Profiles: nocheck
Architecture: source
Version: 7.74.0-1.3+deb11u7~bpo11+1
Distribution: buster-backports
Urgency: high
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Samuel Henrique <samueloph@debian.org>
Closes: 989064 990128 1018831 1030863
Changes:
 curl (7.74.0-1.3+deb11u7~bpo11+1) buster-backports; urgency=medium
 .
   * Rebuild for buster-backports.
 .
 curl (7.74.0-1.3+deb11u7) bullseye-security; urgency=medium
 .
   * Fix CVE-2023-23916: HTTP multi-header compression denial of service:
     - Done by d/p/CVE-2023-23916.patch.
 .
 curl (7.74.0-1.3+deb11u6) bullseye-security; urgency=high
 .
   * Follow up to CVE-2022-27774:
     The revised patch for this CVE in 7.74.0-1.3+deb11u5 contained a defect
     such that it incorrectly manages redirects with authentication.  As a
     result, authetication credentials are cleared in some instances where they
     should be retained, breaking certain requests.  The patch is corrected in
     this version (closes: #1030863).
 .
 curl (7.74.0-1.3+deb11u5) bullseye-security; urgency=high
 .
   * Follow up to CVE-2022-27774:
     The patch included to address this CVE in 7.74.0-1.3+deb11u2 was not
     effective and the vulnerability was still present.  The patch is corrected
     and the vulberability addressed in this version.  Thanks to Kamil Dudka
     for providing the patches used in CentOS 8 and 9 and upon which the
     corrected patch is based.
 .
 curl (7.74.0-1.3+deb11u4) bullseye-security; urgency=high
 .
   * Fix backport of patch for CVE-2021-22946, which was passing a wrong first
     argument to ftp_state_user_resp, this was likely causing a regression when
     using ftp.
   * Backport two patches from upstream to solve 2 CVEs:
     CVE-2022-32221.patch, CVE-2022-43552.patch.
     - CVE-2022-32221
       POST following PUT confusion When doing HTTP(S) transfers, libcurl might
       erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data
       to send, even when the CURLOPT_POSTFIELDS option has been set, if the
       same handle previously was used to issue a PUT request which used that
       callback.
       .
       This flaw may surprise the application and cause it to misbehave and
       either send off the wrong data or use memory after free or similar in the
       subsequent POST request.
     - CVE-2022-43552
       HTTP Proxy deny use-after-free curl can be asked to tunnel virtually all
       protocols it supports through an HTTP proxy. HTTP proxies can (and often
       do) deny such tunnel operations using an appropriate HTTP error response
       code.
       .
       When getting denied to tunnel the specific protocols SMB or TELNET, curl
       would use a heap-allocated struct after it had been freed, in its
       transfer shutdown code path.
 .
 curl (7.74.0-1.3+deb11u3) bullseye; urgency=medium
 .
   * cookie: reject cookies with "control bytes" (CVE-2022-35252)
     (Closes: #1018831)
   * test8: verify that "ctrl-byte cookies" are ignored
 .
 curl (7.74.0-1.3+deb11u2) bullseye-security; urgency=high
 .
   * Non-maintainer upload.
   * CVE-2021-22898:
     curl suffers from an information disclosure when the `-t` command line
     option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send
     variable=content pairs to TELNET servers. Due to a flaw in the option
     parser for sending NEW_ENV variables, libcurl could be made to pass on
     uninitialized data from a stack based buffer to the server, resulting in
     potentially revealing sensitive internal information to the server using a
     clear-text network protocol.
   * CVE-2021-22924:
     libcurl keeps previously used connections in a connection pool for
     subsequenttransfers to reuse, if one of them matches the setup.Due to
     errors in the logic, the config matching function did not take 'issuercert'
     into account and it compared the involved paths *case insensitively*,which
     could lead to libcurl reusing wrong connections.File paths are, or can be,
     case sensitive on many systems but not all, and caneven vary depending on
     used file systems.The comparison also didn't include the 'issuer cert'
     which a transfer can setto qualify how to verify the server certificate.
   * CVE-2021-22945:
     When sending data to an MQTT server, libcurl could in some circumstances
     erroneously keep a pointer to an already freed memory area and both use
     that again in a subsequent call to send data and also free it *again*.
   * CVE-2021-22946:
     A user can tell curl to require a successful upgrade to TLS when speaking
     to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line
     or`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL`
     withlibcurl). This requirement could be bypassed if the server would return
     a properly crafted but perfectly legitimate response. This flaw would then
     make curl silently continue its operations **withoutTLS** contrary to the
     instructions and expectations, exposing possibly sensitive data in clear
     text over the network.
   * CVE-2021-22947:
     When curl connects to an IMAP or POP3 server to retrieve data using
     STARTTLS to upgrade to TLS security, the server can respond and send back
     multiple responses at once that curl caches. curl would then upgrade to TLS
     but not flush the in-queue of cached responses but instead continue using
     and trustingthe responses it got *before* the TLS handshake as if they were
     authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to
     first inject the fake responses, then pass-through the TLS traffic from the
     legitimate server and trick curl into sending data back to the user
     thinking the attacker's injected data comes from the TLS-protected server.
   * CVE-2022-22576:
     An improper authentication vulnerability exists in curl which might allow
     reuse OAUTH2-authenticated connections without properly making sure that
     the connection was authenticated with the same credentials as set for this
     transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S)
     and LDAP(S) (openldap only).
   * CVE-2022-27774:
     An insufficiently protected credentials vulnerability exists in curl that
     could allow an attacker to extract credentials when follows HTTP(S)
     redirects is used with authentication could leak credentials to other
     services that exist on different protocols or port numbers.
   * CVE-2022-27775:
     An information disclosure vulnerability exists in curl. By using an
     IPv6 address that was in the connection pool but with a different zone id
     it could reuse a connection instead.
   * CVE-2022-27776:
     A insufficiently protected credentials vulnerability in curl might leak
     authentication or cookie header data on HTTP redirects to the same host but
     another port number.
   * CVE-2022-27781:
     libcurl provides the `CURLOPT_CERTINFO` option to allow applications
     torequest details to be returned about a server's certificate chain.Due to
     an erroneous function, a malicious server could make libcurl built withNSS
     get stuck in a never-ending busy-loop when trying to retrieve
     thatinformation.
   * CVE-2022-27782:
     libcurl would reuse a previously created connection even when a TLS or
     SSHrelated option had been changed that should have prohibited
     reuse.libcurl keeps previously used connections in a connection pool for
     subsequenttransfers to reuse if one of them matches the setup. However,
     several TLS andSSH settings were left out from the configuration match
     checks, making themmatch too easily.
   * CVE-2022-32205:
     A malicious server can serve excessive amounts of `Set-Cookie:` headers in
     a HTTP response to curl and curl stores all of them. A sufficiently large
     amount of (big) cookies make subsequent HTTP requests to this, or other
     servers to which the cookies match, create requests that become larger than
     the threshold that curl uses internally to avoid sending crazy large
     requests (1048576 bytes) and instead returns an error. This denial state
     might remain for as long as the same cookies are kept, match and haven't
     expired. Due to cookie matching rules, a server on `foo.example.com` can
     set cookies that also would match for `bar.example.com`, making it it
     possible for a "sister server" to effectively cause a denial of service for
     a sibling site on the same second level domain using this method.
   * CVE-2022-32206:
     curl supports "chained" HTTP compression algorithms, meaning that a
     serverresponse can be compressed multiple times and potentially with
     different algorithms. The number of acceptable "links" in this
     "decompression chain" was unbounded, allowing a malicious server to insert
     a virtually unlimited number of compression steps.The use of such a
     decompression chain could result in a "malloc bomb", makingcurl end up
     spending enormous amounts of allocated heap memory, or trying toand
     returning out of memory errors.
   * CVE-2022-32207:
     When curl saves cookies, alt-svc and hsts data to local files, it makes the
     operation atomic by finalizing the operation with a rename from a temporary
     name to the final target file name.In that rename operation, it might
     accidentally *widen* the permissions for the target file, leaving the
     updated file accessible to more users than intended.
   * CVE-2022-32208:
     When curl does FTP transfers secured by krb5, it handles message
     verification failures wrongly. This flaw makes it possible for a
     Man-In-The-Middle attack to go unnoticed and even allows it to inject data
     to the client.
 .
 curl (7.74.0-1.3+deb11u1) bullseye; urgency=medium
 .
   * Non-maintainer upload.
   * Also remove -ffile-prefix-map from curl-config. (Closes: #990128)
 .
 curl (7.74.0-1.3) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Add upstream patch bc7ecc7 so curl -w times shown as seconds with
     fractions (Closes: #989064)
Checksums-Sha1:
 a3d91376796896e28ac227397ae577380456d71a 2729 curl_7.74.0-1.3+deb11u7~bpo11+1.dsc
 cd7239cf9223b39ade86a14eb37fe68f5656eae9 4043409 curl_7.74.0.orig.tar.gz
 19d59fcd8c9a06f412eb94faabbf501389714bf5 61120 curl_7.74.0-1.3+deb11u7~bpo11+1.debian.tar.xz
 631d28b22d4ddbac76f91f486137b5b95e70880b 11472 curl_7.74.0-1.3+deb11u7~bpo11+1_amd64.buildinfo
Checksums-Sha256:
 14cbd416e0edb41d8d2d189d736ab86eb1caea8567336403b4047900bbf1c824 2729 curl_7.74.0-1.3+deb11u7~bpo11+1.dsc
 e56b3921eeb7a2951959c02db0912b5fcd5fdba5aca071da819e1accf338bbd7 4043409 curl_7.74.0.orig.tar.gz
 19a74f24ede345e3b0989c26cee7dc126745674255694c31e0686e163f23f1b9 61120 curl_7.74.0-1.3+deb11u7~bpo11+1.debian.tar.xz
 d0c6eee2ce0cf4c0e1fcc7d64adb4a41425375814a653db0ca09155253769cf7 11472 curl_7.74.0-1.3+deb11u7~bpo11+1_amd64.buildinfo
Files:
 4d86faaa174bc309d6b7ce4c765da636 2729 web optional curl_7.74.0-1.3+deb11u7~bpo11+1.dsc
 45f468aa42c4af027c4c6ddba58267f0 4043409 web optional curl_7.74.0.orig.tar.gz
 de96bbebcb0d2cf76d08de7579435457 61120 web optional curl_7.74.0-1.3+deb11u7~bpo11+1.debian.tar.xz
 e1c1c69bfbf1fc6988dfe2d240f8a97a 11472 web optional curl_7.74.0-1.3+deb11u7~bpo11+1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmQfc4YACgkQu6n6rcz7
RwcuCA/+Nc6UFdg1iDwwHERQQOvgm6rwPYR5QfY9cvJKHWjy6I3ddBLvzaBi6Mc7
pPcdEQtdxl06Tiae0vjp4BgKlcnoUypXIPJl4loibZixfu05w21z6plKBjRtaEA7
78p4Q9BzZCOFbj+0wBfRlYIfK0/n0j6FNQRMS1G9IzfBK85IJKKQulXSyj/uGENL
21fbA1tFGyCORd9gjr+B6t0I4nr7BWhT6lWeUc/caZtfkXpNZFE0ahHh+rxNZAMg
McN+CKOEE6PqYQyp7DWw9HIBAevOiohgRya6dslalWqz6LdbXXTSiaY1P01IrQc+
1VUsmPitwD6pmmQRP7b5ep5O6Ovn2xpjM94Kley5XqnsqBJQlVkPpwTKQWvoD8+A
IuZgINXVaoQZQRG0Icl715GmQPO8WEH/8u2JGq9Bk7MrYu6QeJ5SRgxkax3/xL4b
/Rb8nQ1qs9v3TQZbd6i9fSqyB8GCke92EuateiFDeem/Ix6yQHeYtzI8rEpGNEtJ
/pVeG1gWkCi0YbT3PdkLpuC6h8mYU6tzLlOsL/FwhGk7ThDXElO+gNk2VJ822Qwt
PzGtQ/R/saBT+kbzr1nWZGXq4T/CJUltFYkUrLEft5TjJdNLzfojXf3M0nER9PMa
PCP1ObrdeAzmitXKs82/WuAPSGit5Y8Ge9J5h5UvBJnxBqhyfU8=
=V3wM
-----END PGP SIGNATURE-----


Reply to: