ID

VAR-202012-1279

CVE

CVE-2020-8286

TITLE

Debian Security Advisory 4881-1

DESCRIPTION

curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. HAXX libcurl is an open source client-side URL transfer library developed by Haxx (HAXX) in Sweden. The product supports protocols such as FTP, SFTP, TFTP and HTTP. A security vulnerability exists in libcurl that could be exploited by an attacker to read or write data in a session by acting as a man-in-the-middle through low-level OCSP authentication on libcurl. CVE-2020-8177 sn reported that curl could be tricked by a malicious server into overwriting a local file when using th -J (--remote-header-name) and -i (--include) options in the same command line. CVE-2020-8231 Marc Aldorasi reported that libcurl might use the wrong connection when an application using libcurl's multi API sets the option CURLOPT_CONNECT_ONLY, which could lead to information leaks. CVE-2020-8285 xnynx reported that libcurl could run out of stack space when using tha FTP wildcard matching functionality (CURLOPT_CHUNK_BGN_FUNCTION). CVE-2020-8286 It was reported that libcurl didn't verify that an OCSP response actually matches the certificate it is intended to. CVE-2021-22876 Viktor Szakats reported that libcurl does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. CVE-2021-22890 Mingtao Yang reported that, when using an HTTPS proxy and TLS 1.3, libcurl could confuse session tickets arriving from the HTTPS proxy as if they arrived from the remote server instead. This could allow an HTTPS proxy to trick libcurl into using the wrong session ticket for the host and thereby circumvent the server TLS certificate check. For the stable distribution (buster), these problems have been fixed in version 7.64.0-4+deb10u2. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAmBkQCoACgkQbwzL4CFi Ryg6Gg/+LqhhJ8+D7skevVkYzxHzdH2yT/XMeoYp0D37yHmEfH9PyjXwfplG+XEw /xwFRBK8qxD1ja+rQddYyeTvi1OMnMgMS3UsRHlfeMnLxh2+oHnvHDYG848npUEZ Rq4YFoc/n9YTAJZP/G4oiuBeXqH2Sqa5hSNT6VrYfRciCxkYnzA78b85KpI8aYyR lhfiJMNpwrqDbt/QzblpELBkGMIV402VeiqDwHfcVzm2E810xXQNLvPMbWtvDYkA TSrNsdqfuFr1tuQSZY6CGSWEyXtB/tOo8+pvUixlJMBWJMl5TXEcJkD5ckehx0yb C3n9yapfklxHiG9lD4zwwIJDqd3Y4SxdDiSlUC4OhdvpwniMygX0S3ICaPA4iac/ cWanml0Fop3OmRy+vQURTd3sADoT5HoRSUXZVU+HdTrRaEt2xs5okZkWSd3yr4Ux i+HgjUAFkkk8DLRB68Bbpx1LGxFGQT7L8yd4wsWINXlzASIP1A5dnNfE5w0VWOHG 3KDq47wNfjuiZC8GXW+HQCxz5MijnS8Y/Egl0OozNFDwEitNBZEsIjpZaZBdZIwi UFfcK7+u/y/TRY54rA4erkdcHFwpYW5EZVGdb7Z+WPWVlzw0ImXrM68LSAhHQaqW 1Hx4VwwwTsMIPnrx2kriRiiDPOW1r5Kip3yHa+QZLedSRGibQWk= =001T -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: curl security and bug fix update Advisory ID: RHSA-2021:1610-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:1610 Issue date: 2021-05-18 CVE Names: CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 ==================================================================== 1. Summary: An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: FTP PASV command response can cause curl to connect to arbitrary host (CVE-2020-8284) * curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used (CVE-2020-8285) * curl: Inferior OCSP verification (CVE-2020-8286) * curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set (CVE-2020-8231) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1868032 - CVE-2020-8231 curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set 1873327 - libcurl: Segfault when HTTPS_PROXY and NO_PROXY is used together 1895391 - multiarch conflicts in libcurl-minimal 1902667 - CVE-2020-8284 curl: FTP PASV command response can cause curl to connect to arbitrary host 1902687 - CVE-2020-8285 curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used 1906096 - CVE-2020-8286 curl: Inferior OCSP verification 1918692 - Body dropped from POST request when using proxy with NTLM authentication 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: curl-7.61.1-18.el8.src.rpm aarch64: curl-7.61.1-18.el8.aarch64.rpm curl-debuginfo-7.61.1-18.el8.aarch64.rpm curl-debugsource-7.61.1-18.el8.aarch64.rpm curl-minimal-debuginfo-7.61.1-18.el8.aarch64.rpm libcurl-7.61.1-18.el8.aarch64.rpm libcurl-debuginfo-7.61.1-18.el8.aarch64.rpm libcurl-devel-7.61.1-18.el8.aarch64.rpm libcurl-minimal-7.61.1-18.el8.aarch64.rpm libcurl-minimal-debuginfo-7.61.1-18.el8.aarch64.rpm ppc64le: curl-7.61.1-18.el8.ppc64le.rpm curl-debuginfo-7.61.1-18.el8.ppc64le.rpm curl-debugsource-7.61.1-18.el8.ppc64le.rpm curl-minimal-debuginfo-7.61.1-18.el8.ppc64le.rpm libcurl-7.61.1-18.el8.ppc64le.rpm libcurl-debuginfo-7.61.1-18.el8.ppc64le.rpm libcurl-devel-7.61.1-18.el8.ppc64le.rpm libcurl-minimal-7.61.1-18.el8.ppc64le.rpm libcurl-minimal-debuginfo-7.61.1-18.el8.ppc64le.rpm s390x: curl-7.61.1-18.el8.s390x.rpm curl-debuginfo-7.61.1-18.el8.s390x.rpm curl-debugsource-7.61.1-18.el8.s390x.rpm curl-minimal-debuginfo-7.61.1-18.el8.s390x.rpm libcurl-7.61.1-18.el8.s390x.rpm libcurl-debuginfo-7.61.1-18.el8.s390x.rpm libcurl-devel-7.61.1-18.el8.s390x.rpm libcurl-minimal-7.61.1-18.el8.s390x.rpm libcurl-minimal-debuginfo-7.61.1-18.el8.s390x.rpm x86_64: curl-7.61.1-18.el8.x86_64.rpm curl-debuginfo-7.61.1-18.el8.i686.rpm curl-debuginfo-7.61.1-18.el8.x86_64.rpm curl-debugsource-7.61.1-18.el8.i686.rpm curl-debugsource-7.61.1-18.el8.x86_64.rpm curl-minimal-debuginfo-7.61.1-18.el8.i686.rpm curl-minimal-debuginfo-7.61.1-18.el8.x86_64.rpm libcurl-7.61.1-18.el8.i686.rpm libcurl-7.61.1-18.el8.x86_64.rpm libcurl-debuginfo-7.61.1-18.el8.i686.rpm libcurl-debuginfo-7.61.1-18.el8.x86_64.rpm libcurl-devel-7.61.1-18.el8.i686.rpm libcurl-devel-7.61.1-18.el8.x86_64.rpm libcurl-minimal-7.61.1-18.el8.i686.rpm libcurl-minimal-7.61.1-18.el8.x86_64.rpm libcurl-minimal-debuginfo-7.61.1-18.el8.i686.rpm libcurl-minimal-debuginfo-7.61.1-18.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-8231 https://access.redhat.com/security/cve/CVE-2020-8284 https://access.redhat.com/security/cve/CVE-2020-8285 https://access.redhat.com/security/cve/CVE-2020-8286 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYKPto9zjgjWX9erEAQh16A/7Byq8RPmIFM/cXYG93ASi4Zv7hnzQcC2N jmLQXZ6zcISfUgPHrd4ePRczWL/dqdF1qGqtcef0pvnR7WBF6FnKbptGthqgicis T8HKx8wf79RmEXvqenIsLOFCqzoyHOqcBWAmLIjG/w90QiVBd3H/OzPn59WlR27l ulmkFd76mr2CuU05aTTxKA5B7uL9SdDSFB6Ee/9iU9PSq/BqEOuKKcIiReyLwLDt 9x8OII61xtl/rukO3QsBclY5tWBfjx4Ja5gRq5+MWYUvZuGfiT0HnrPCzjbim8Xk ZEPVfYAjGnp9JN2SZCCvjb5DuF6l0AWCG6m8J6kuB4xujJN6v62+QjZ4dcOKB5DH RCZhqk8HRE3uT7vTrnaHvilsOPjKip+NNoxKLBrwIYpbdLx0t1tMGO5obP+jrOmU +2YOcwxaHQZZd2RQP8iK5JsZaTDhzzeWv/g5vYBu+kb1LcBy1x7uwE+yVfbYBgiR 1+coyOfOzjdkaVoaRcJnC9ETKLuWqaWmy/pdWRHKyhtNT3+LF4zK2hMPmYReh1gE hDSR7YcDtnOgpiSIxHDzSQwQSyYwACdOtU5nnr2ZYO2ppm3nTHuXTzmD9YcijQru m2BWtKQTPBdGBbEVoBpYN6OxSC5DkNh53D6e1hzxpb6kIRRyiiinLdNIHVlCJCtW 1dg/uh2h6WQ=FWND -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description: Windows Container Support for Red Hat OpenShift allows you to deploy Windows container workloads running on Windows Server containers. Bug Fix(es): * WMCO patch pub-key-hash annotation to Linux node (BZ#1945248) * LoadBalancer Service type with invalid external loadbalancer IP breaks the datapath (BZ#1952917) * Telemetry info not completely available to identify windows nodes (BZ#1955319) * WMCO incorrectly shows node as ready after a failed configuration (BZ#1956412) * kube-proxy service terminated unexpectedly after recreated LB service (BZ#1963263) 3. Solution: For Windows Machine Config Operator upgrades, see the following documentation: https://docs.openshift.com/container-platform/4.7/windows_containers/window s-node-upgrades.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1945248 - WMCO patch pub-key-hash annotation to Linux node 1946538 - CVE-2021-25736 kubernetes: LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP, what could lead to MITM 1952917 - LoadBalancer Service type with invalid external loadbalancer IP breaks the datapath 1955319 - Telemetry info not completely available to identify windows nodes 1956412 - WMCO incorrectly shows node as ready after a failed configuration 1963263 - kube-proxy service terminated unexpectedly after recreated LB service 5. JIRA issues fixed (https://issues.jboss.org/): WINC-623 - Windows Container Support for Red Hat OpenShift 2.0.1 release 6. Bugs fixed (https://bugzilla.redhat.com/): 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve 1928172 - CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 5. This version of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6 and 4.7, and includes security and bug fixes and enhancements. Bugs fixed (https://bugzilla.redhat.com/): 1937901 - CVE-2021-27918 golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader 1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header 1965503 - CVE-2021-33196 golang: archive/zip: Malformed archive may cause panic or memory exhaustion 1971445 - Release of OpenShift Serverless Serving 1.16.0 1971448 - Release of OpenShift Serverless Eventing 1.16.0 5. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202012-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: cURL: Multiple vulnerabilities Date: December 23, 2020 Bugs: #737990, #759259 ID: 202012-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in cURL, the worst of which could result in information disclosure or data loss. Background ========== A command line tool and library for transferring data with URLs. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/curl < 7.74.0 >= 7.74.0 Description =========== Multiple vulnerabilities have been discovered in cURL. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All cURL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/curl-7.74.0" References ========== [ 1 ] CVE-2020-8231 https://nvd.nist.gov/vuln/detail/CVE-2020-8231 [ 2 ] CVE-2020-8284 https://nvd.nist.gov/vuln/detail/CVE-2020-8284 [ 3 ] CVE-2020-8285 https://nvd.nist.gov/vuln/detail/CVE-2020-8285 [ 4 ] CVE-2020-8286 https://nvd.nist.gov/vuln/detail/CVE-2020-8286 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202012-14 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . ========================================================================== Ubuntu Security Notice USN-4665-1 December 09, 2020 curl vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in curl. This could result in data being sent to the wrong destination, possibly exposing sensitive information. This issue only affected Ubuntu 20.10. (CVE-2020-8231) Varnavas Papaioannou discovered that curl incorrectly handled FTP PASV responses. An attacker could possibly use this issue to trick curl into connecting to an arbitrary IP address and be used to perform port scanner and other information gathering. (CVE-2020-8284) It was discovered that curl incorrectly handled FTP wildcard matchins. A remote attacker could possibly use this issue to cause curl to consume resources and crash, resulting in a denial of service. A remote attacker could possibly use this issue to provide a fraudulent OCSP response. (CVE-2020-8286) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.10: curl 7.68.0-1ubuntu4.2 libcurl3-gnutls 7.68.0-1ubuntu4.2 libcurl3-nss 7.68.0-1ubuntu4.2 libcurl4 7.68.0-1ubuntu4.2 Ubuntu 20.04 LTS: curl 7.68.0-1ubuntu2.4 libcurl3-gnutls 7.68.0-1ubuntu2.4 libcurl3-nss 7.68.0-1ubuntu2.4 libcurl4 7.68.0-1ubuntu2.4 Ubuntu 18.04 LTS: curl 7.58.0-2ubuntu3.12 libcurl3-gnutls 7.58.0-2ubuntu3.12 libcurl3-nss 7.58.0-2ubuntu3.12 libcurl4 7.58.0-2ubuntu3.12 Ubuntu 16.04 LTS: curl 7.47.0-1ubuntu2.18 libcurl3 7.47.0-1ubuntu2.18 libcurl3-gnutls 7.47.0-1ubuntu2.18 libcurl3-nss 7.47.0-1ubuntu2.18 In general, a standard system update will make all the necessary changes

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

code execution

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-08-15T21:22:35.283000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE