-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Low: curl security and bug fix update
Advisory ID:       RHSA-2023:2963-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2963
Issue date:        2023-05-16
CVE Names:         CVE-2022-35252 CVE-2022-43552 
====================================================================
1. Summary:

An update for curl is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

The curl packages provide the libcurl library and the curl utility for
downloading files from servers using various protocols, including HTTP,
FTP, and LDAP.

Security Fix(es):

* curl: Incorrect handling of control code characters in cookies
(CVE-2022-35252)

* curl: Use-after-free triggered by an HTTP proxy deny response
(CVE-2022-43552)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.8 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2120718 - CVE-2022-35252 curl: Incorrect handling of control code characters in cookies
2139337 - Fall back automagically to HTTP1.1 from HTTP2.0 when performing auth method
2152652 - CVE-2022-43552 curl: Use-after-free triggered by an HTTP proxy deny response
2166254 - curl fails large file downloads for some http2 server

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:
curl-7.61.1-30.el8.src.rpm

aarch64:
curl-7.61.1-30.el8.aarch64.rpm
curl-debuginfo-7.61.1-30.el8.aarch64.rpm
curl-debugsource-7.61.1-30.el8.aarch64.rpm
curl-minimal-debuginfo-7.61.1-30.el8.aarch64.rpm
libcurl-7.61.1-30.el8.aarch64.rpm
libcurl-debuginfo-7.61.1-30.el8.aarch64.rpm
libcurl-devel-7.61.1-30.el8.aarch64.rpm
libcurl-minimal-7.61.1-30.el8.aarch64.rpm
libcurl-minimal-debuginfo-7.61.1-30.el8.aarch64.rpm

ppc64le:
curl-7.61.1-30.el8.ppc64le.rpm
curl-debuginfo-7.61.1-30.el8.ppc64le.rpm
curl-debugsource-7.61.1-30.el8.ppc64le.rpm
curl-minimal-debuginfo-7.61.1-30.el8.ppc64le.rpm
libcurl-7.61.1-30.el8.ppc64le.rpm
libcurl-debuginfo-7.61.1-30.el8.ppc64le.rpm
libcurl-devel-7.61.1-30.el8.ppc64le.rpm
libcurl-minimal-7.61.1-30.el8.ppc64le.rpm
libcurl-minimal-debuginfo-7.61.1-30.el8.ppc64le.rpm

s390x:
curl-7.61.1-30.el8.s390x.rpm
curl-debuginfo-7.61.1-30.el8.s390x.rpm
curl-debugsource-7.61.1-30.el8.s390x.rpm
curl-minimal-debuginfo-7.61.1-30.el8.s390x.rpm
libcurl-7.61.1-30.el8.s390x.rpm
libcurl-debuginfo-7.61.1-30.el8.s390x.rpm
libcurl-devel-7.61.1-30.el8.s390x.rpm
libcurl-minimal-7.61.1-30.el8.s390x.rpm
libcurl-minimal-debuginfo-7.61.1-30.el8.s390x.rpm

x86_64:
curl-7.61.1-30.el8.x86_64.rpm
curl-debuginfo-7.61.1-30.el8.i686.rpm
curl-debuginfo-7.61.1-30.el8.x86_64.rpm
curl-debugsource-7.61.1-30.el8.i686.rpm
curl-debugsource-7.61.1-30.el8.x86_64.rpm
curl-minimal-debuginfo-7.61.1-30.el8.i686.rpm
curl-minimal-debuginfo-7.61.1-30.el8.x86_64.rpm
libcurl-7.61.1-30.el8.i686.rpm
libcurl-7.61.1-30.el8.x86_64.rpm
libcurl-debuginfo-7.61.1-30.el8.i686.rpm
libcurl-debuginfo-7.61.1-30.el8.x86_64.rpm
libcurl-devel-7.61.1-30.el8.i686.rpm
libcurl-devel-7.61.1-30.el8.x86_64.rpm
libcurl-minimal-7.61.1-30.el8.i686.rpm
libcurl-minimal-7.61.1-30.el8.x86_64.rpm
libcurl-minimal-debuginfo-7.61.1-30.el8.i686.rpm
libcurl-minimal-debuginfo-7.61.1-30.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-35252
https://access.redhat.com/security/cve/CVE-2022-43552
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZGNu7NzjgjWX9erEAQiiYA/+LOTmv9yZK6GKeddwdBQrjC+qTqPXVS3w
HI4pz5FK7aDXOd1eC3ekH62/lH+0kvJZluY7JEyZr+HBdIPo/KUcKGtZsADsxjZ+
xqD1p8ywfSGPsbgU1sRUnBLy3ViGfvacfRgsiQHOtV523po+u8Mh3D0xz7IMKpNf
56xoq3r8vpzvzdy3G+S+frcDcf0msQz1U9TWegKtbS807FAaBCpyaUS25X4LJYik
g9baa6BuGqXT4abYPgCK+URiQlMFAidSvfg5Er8cBZQveYvp7CLbq04I/h17RYHt
aBcvohkP4BmAHbKWte16YUbzxoOOvAw2sgTOh7gT4P1cbe9WY+ugVDKc823Ze14D
gGjkaSR1bTZmX2FkGXG6JiwwZRJ3DX4LJAjyGsNx9GrE8BSHI5W50wqasDuSgFyB
rT1s/aBK0F6sZXpJVg5URUYVNG6RcnvS5S3SSvkzA+jviKxYraqPIuWhTQ2ygQlt
dQFsuLwZcWJ4Fi59wb1Q/J5cYxfrnf/scIrwuNY/WOGn1peXm5nFRTc1hXegmYLr
/uqbatNZsLPNME8x9TnMf6IhnnYdL5YeVQe/VqaRFK1XgjI3t4sI7serChavrIHS
a/Nxf0PXwvLAOMYflvb7WKH5UukyzhypIqshvTLCie1ZjIyyG5POMruxxLvLGLXY
oqTE0cKjbSo=mFLP
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2023-2963:01 Low: curl

An update for curl is now available for Red Hat Enterprise Linux 8

Summary

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
Security Fix(es):
* curl: Incorrect handling of control code characters in cookies (CVE-2022-35252)
* curl: Use-after-free triggered by an HTTP proxy deny response (CVE-2022-43552)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2022-35252 https://access.redhat.com/security/cve/CVE-2022-43552 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.8_release_notes/index

Package List

Red Hat Enterprise Linux BaseOS (v. 8):
Source: curl-7.61.1-30.el8.src.rpm
aarch64: curl-7.61.1-30.el8.aarch64.rpm curl-debuginfo-7.61.1-30.el8.aarch64.rpm curl-debugsource-7.61.1-30.el8.aarch64.rpm curl-minimal-debuginfo-7.61.1-30.el8.aarch64.rpm libcurl-7.61.1-30.el8.aarch64.rpm libcurl-debuginfo-7.61.1-30.el8.aarch64.rpm libcurl-devel-7.61.1-30.el8.aarch64.rpm libcurl-minimal-7.61.1-30.el8.aarch64.rpm libcurl-minimal-debuginfo-7.61.1-30.el8.aarch64.rpm
ppc64le: curl-7.61.1-30.el8.ppc64le.rpm curl-debuginfo-7.61.1-30.el8.ppc64le.rpm curl-debugsource-7.61.1-30.el8.ppc64le.rpm curl-minimal-debuginfo-7.61.1-30.el8.ppc64le.rpm libcurl-7.61.1-30.el8.ppc64le.rpm libcurl-debuginfo-7.61.1-30.el8.ppc64le.rpm libcurl-devel-7.61.1-30.el8.ppc64le.rpm libcurl-minimal-7.61.1-30.el8.ppc64le.rpm libcurl-minimal-debuginfo-7.61.1-30.el8.ppc64le.rpm
s390x: curl-7.61.1-30.el8.s390x.rpm curl-debuginfo-7.61.1-30.el8.s390x.rpm curl-debugsource-7.61.1-30.el8.s390x.rpm curl-minimal-debuginfo-7.61.1-30.el8.s390x.rpm libcurl-7.61.1-30.el8.s390x.rpm libcurl-debuginfo-7.61.1-30.el8.s390x.rpm libcurl-devel-7.61.1-30.el8.s390x.rpm libcurl-minimal-7.61.1-30.el8.s390x.rpm libcurl-minimal-debuginfo-7.61.1-30.el8.s390x.rpm
x86_64: curl-7.61.1-30.el8.x86_64.rpm curl-debuginfo-7.61.1-30.el8.i686.rpm curl-debuginfo-7.61.1-30.el8.x86_64.rpm curl-debugsource-7.61.1-30.el8.i686.rpm curl-debugsource-7.61.1-30.el8.x86_64.rpm curl-minimal-debuginfo-7.61.1-30.el8.i686.rpm curl-minimal-debuginfo-7.61.1-30.el8.x86_64.rpm libcurl-7.61.1-30.el8.i686.rpm libcurl-7.61.1-30.el8.x86_64.rpm libcurl-debuginfo-7.61.1-30.el8.i686.rpm libcurl-debuginfo-7.61.1-30.el8.x86_64.rpm libcurl-devel-7.61.1-30.el8.i686.rpm libcurl-devel-7.61.1-30.el8.x86_64.rpm libcurl-minimal-7.61.1-30.el8.i686.rpm libcurl-minimal-7.61.1-30.el8.x86_64.rpm libcurl-minimal-debuginfo-7.61.1-30.el8.i686.rpm libcurl-minimal-debuginfo-7.61.1-30.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2023:2963-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:2963
Issued Date: : 2023-05-16
CVE Names: CVE-2022-35252 CVE-2022-43552

Topic

An update for curl is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64


Bugs Fixed

2120718 - CVE-2022-35252 curl: Incorrect handling of control code characters in cookies

2139337 - Fall back automagically to HTTP1.1 from HTTP2.0 when performing auth method

2152652 - CVE-2022-43552 curl: Use-after-free triggered by an HTTP proxy deny response

2166254 - curl fails large file downloads for some http2 server


Related News

Google Releases Chrome 130 with Critical Security Fixes for 17 Flaws
3 - 5 min read
Google recently unveiled Chrome 130 , an update that addresses several security vulnerabilities to ensure the web browser's safety and reliability.
U.S. Investigation into China-Backed Telecom Companies Hack: The Role & Risks of Encryption Backdoors
3 - 5 min read
U.S. authorities are on high alert as they investigate an alleged Chinese state-sponsored hack targeting major U.S. telecommunications companies.
FASTCash Linux Malware: A New Cybercrime Menace Targeting Payment Switch Systems
3 - 5 min read
As malware threats evolve to increasingly target Linux systems, admins and organizations must stay up-to-date on the latest Linux malware variants
Optimizing CWPP on Linux Servers: Best Practices and Configurations
3 - 6 min read
Cloud Workload Protection Platforms are now essential for securing virtual environments. These provide a robust security layer vital for addressing
The Infiltration of Supply Chain Attacks in Open-Source Software Management
3 - 6 min read
Open-source projects are renowned for their collaborative nature and widespread adoption, yet more sophisticated supply chain attacks target them
Strengthen Your Linux Software Development Pipeline with Code Security Scanners
3 - 6 min read
Developers recognize the critical nature of protecting software systems as cyberattacks grow more sophisticated, thus necessitating robust security
Everything You Need to Know About Cloud Security Posture Management
3 - 5 min read
Many companies are transitioning from physical servers to cloud operations, but this transformation brings new challenges. Cloud Security Posture
Understanding the Critical Oath-Toolkit Vulnerability and Its Implications for Admins
3 - 5 min read
As Linux security threats advance and evolve, vulnerabilities often surface unexpectedly, exposing systems to potential exploitation. SUSE

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved