ID

VAR-202108-2222

CVE

CVE-2021-22924

TITLE

Ubuntu Security Notice USN-5021-1

DESCRIPTION

libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. A security issue has been found in curl before version 7.78.0. The comparison also didn't include the 'issuer cert' which a transfer can set to qualify how to verify the server certificate. ========================================================================== Ubuntu Security Notice USN-5021-1 July 22, 2021 curl vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 21.04 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in curl. Software Description: - curl: HTTP, HTTPS, and FTP client and client libraries Details: Harry Sintonen and Tomas Hoger discovered that curl incorrectly handled TELNET connections when the -t option was used on the command line. Uninitialized data possibly containing sensitive information could be sent to the remote server, contrary to expectations. (CVE-2021-22898, CVE-2021-22925) Harry Sintonen discovered that curl incorrectly reused connections in the connection pool. This could result in curl reusing the wrong connections. (CVE-2021-22924) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 21.04: curl 7.74.0-1ubuntu2.1 libcurl3-gnutls 7.74.0-1ubuntu2.1 libcurl3-nss 7.74.0-1ubuntu2.1 libcurl4 7.74.0-1ubuntu2.1 Ubuntu 20.04 LTS: curl 7.68.0-1ubuntu2.6 libcurl3-gnutls 7.68.0-1ubuntu2.6 libcurl3-nss 7.68.0-1ubuntu2.6 libcurl4 7.68.0-1ubuntu2.6 Ubuntu 18.04 LTS: curl 7.58.0-2ubuntu3.14 libcurl3-gnutls 7.58.0-2ubuntu3.14 libcurl3-nss 7.58.0-2ubuntu3.14 libcurl4 7.58.0-2ubuntu3.14 In general, a standard system update will make all the necessary changes. Security fixes: * nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name (CVE-2021-23017) * redis: Lua scripts can overflow the heap-based Lua stack (CVE-2021-32626) * redis: Integer overflow issue with Streams (CVE-2021-32627) * redis: Integer overflow bug in the ziplist data structure (CVE-2021-32628) * redis: Integer overflow issue with intsets (CVE-2021-32687) * redis: Integer overflow issue with strings (CVE-2021-41099) * redis: Out of bounds read in lua debugger protocol parser (CVE-2021-32672) * redis: Denial of service via Redis Standard Protocol (RESP) request (CVE-2021-32675) * helm: information disclosure vulnerability (CVE-2021-32690) Bug fixes: * KUBE-API: Support move agent to different cluster in the same namespace (BZ# 1977358) * Add columns to the Agent CRD list (BZ# 1977398) * ClusterDeployment controller watches all Secrets from all namespaces (BZ# 1986081) * RHACM 2.3.3 images (BZ# 1999365) * Workaround for Network Manager not supporting nmconnections priority (BZ# 2001294) * create cluster page empty in Safary Browser (BZ# 2002280) * Compliance state doesn't get updated after fixing the issue causing initially the policy not being able to update the managed object (BZ# 2002667) * Overview page displays VMware based managed cluster as other (BZ# 2004188) 3. Bugs fixed (https://bugzilla.redhat.com/): 1963121 - CVE-2021-23017 nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name 1977358 - [4.8.0] KUBE-API: Support move agent to different cluster in the same namespace 1977398 - [4.8.0] [master] Add columns to the Agent CRD list 1978144 - CVE-2021-32690 helm: information disclosure vulnerability 1986081 - [4.8.0] ClusterDeployment controller watches all Secrets from all namespaces 1999365 - RHACM 2.3.3 images 2001294 - [4.8.0] Workaround for Network Manager not supporting nmconnections priority 2002280 - create cluster page empty in Safary Browser 2002667 - Compliance state doesn't get updated after fixing the issue causing initially the policy not being able to update the managed object 2004188 - Overview page displays VMware based managed cluster as other 2010991 - CVE-2021-32687 redis: Integer overflow issue with intsets 2011000 - CVE-2021-32675 redis: Denial of service via Redis Standard Protocol (RESP) request 2011001 - CVE-2021-32672 redis: Out of bounds read in lua debugger protocol parser 2011004 - CVE-2021-32628 redis: Integer overflow bug in the ziplist data structure 2011010 - CVE-2021-32627 redis: Integer overflow issue with Streams 2011017 - CVE-2021-32626 redis: Lua scripts can overflow the heap-based Lua stack 2011020 - CVE-2021-41099 redis: Integer overflow issue with strings 5. Description: Red Hat 3scale API Management delivers centralized API management features through a distributed, cloud-hosted layer. It includes built-in features to help in building a more successful API program, including access control, rate limits, payment gateway integration, and developer experience tools. Bugs fixed (https://bugzilla.redhat.com/): 1869800 - CVE-2020-8911 aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto SDK for golang 1869801 - CVE-2020-8912 aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto SDK for golang 1930083 - CVE-2021-3442 PT RHOAM: XSS in 3scale at various places 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: curl security update Advisory ID: RHSA-2021:3582-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:3582 Issue date: 2021-09-21 CVE Names: CVE-2021-22922 CVE-2021-22923 CVE-2021-22924 ===================================================================== 1. Summary: An update for curl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP. Security Fix(es): * curl: Content not matching hash in Metalink is not being discarded (CVE-2021-22922) * curl: Metalink download sends credentials (CVE-2021-22923) * curl: Bad connection reuse due to flawed path name checks (CVE-2021-22924) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1981435 - CVE-2021-22922 curl: Content not matching hash in Metalink is not being discarded 1981438 - CVE-2021-22923 curl: Metalink download sends credentials 1981460 - CVE-2021-22924 curl: Bad connection reuse due to flawed path name checks 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: curl-7.61.1-18.el8_4.1.src.rpm aarch64: curl-7.61.1-18.el8_4.1.aarch64.rpm curl-debuginfo-7.61.1-18.el8_4.1.aarch64.rpm curl-debugsource-7.61.1-18.el8_4.1.aarch64.rpm curl-minimal-debuginfo-7.61.1-18.el8_4.1.aarch64.rpm libcurl-7.61.1-18.el8_4.1.aarch64.rpm libcurl-debuginfo-7.61.1-18.el8_4.1.aarch64.rpm libcurl-devel-7.61.1-18.el8_4.1.aarch64.rpm libcurl-minimal-7.61.1-18.el8_4.1.aarch64.rpm libcurl-minimal-debuginfo-7.61.1-18.el8_4.1.aarch64.rpm ppc64le: curl-7.61.1-18.el8_4.1.ppc64le.rpm curl-debuginfo-7.61.1-18.el8_4.1.ppc64le.rpm curl-debugsource-7.61.1-18.el8_4.1.ppc64le.rpm curl-minimal-debuginfo-7.61.1-18.el8_4.1.ppc64le.rpm libcurl-7.61.1-18.el8_4.1.ppc64le.rpm libcurl-debuginfo-7.61.1-18.el8_4.1.ppc64le.rpm libcurl-devel-7.61.1-18.el8_4.1.ppc64le.rpm libcurl-minimal-7.61.1-18.el8_4.1.ppc64le.rpm libcurl-minimal-debuginfo-7.61.1-18.el8_4.1.ppc64le.rpm s390x: curl-7.61.1-18.el8_4.1.s390x.rpm curl-debuginfo-7.61.1-18.el8_4.1.s390x.rpm curl-debugsource-7.61.1-18.el8_4.1.s390x.rpm curl-minimal-debuginfo-7.61.1-18.el8_4.1.s390x.rpm libcurl-7.61.1-18.el8_4.1.s390x.rpm libcurl-debuginfo-7.61.1-18.el8_4.1.s390x.rpm libcurl-devel-7.61.1-18.el8_4.1.s390x.rpm libcurl-minimal-7.61.1-18.el8_4.1.s390x.rpm libcurl-minimal-debuginfo-7.61.1-18.el8_4.1.s390x.rpm x86_64: curl-7.61.1-18.el8_4.1.x86_64.rpm curl-debuginfo-7.61.1-18.el8_4.1.i686.rpm curl-debuginfo-7.61.1-18.el8_4.1.x86_64.rpm curl-debugsource-7.61.1-18.el8_4.1.i686.rpm curl-debugsource-7.61.1-18.el8_4.1.x86_64.rpm curl-minimal-debuginfo-7.61.1-18.el8_4.1.i686.rpm curl-minimal-debuginfo-7.61.1-18.el8_4.1.x86_64.rpm libcurl-7.61.1-18.el8_4.1.i686.rpm libcurl-7.61.1-18.el8_4.1.x86_64.rpm libcurl-debuginfo-7.61.1-18.el8_4.1.i686.rpm libcurl-debuginfo-7.61.1-18.el8_4.1.x86_64.rpm libcurl-devel-7.61.1-18.el8_4.1.i686.rpm libcurl-devel-7.61.1-18.el8_4.1.x86_64.rpm libcurl-minimal-7.61.1-18.el8_4.1.i686.rpm libcurl-minimal-7.61.1-18.el8_4.1.x86_64.rpm libcurl-minimal-debuginfo-7.61.1-18.el8_4.1.i686.rpm libcurl-minimal-debuginfo-7.61.1-18.el8_4.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-22922 https://access.redhat.com/security/cve/CVE-2021-22923 https://access.redhat.com/security/cve/CVE-2021-22924 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYUmbl9zjgjWX9erEAQi0VRAAkVIQKLPCBEK+Dy1js5VwXXZssOhvgmm/ xe9piCdrgBrbILxPEY0hkPYCmw3hKsRWD3FCMou6275HUJydJQpqANDmP/msUZOE LYJcM6cMWR7/2HWtgx6BQ5z6PZte+vzetzoHPDjI8O25kqd+BfT6JN0wCzKUQrUO auFPz1Sqj3UG1PHB62fSBJ4MpmRrCtJJh/Q84Rfp2JilVmsCpAOCm+gHEye3tu49 yF0fSA+JLS9Ut1XzaktucevPiwApj2dmxuagGFftvPzaP+cMz5V7Hv5akI89uapk L+Q4T37Fx53MQg+CAI1uDg2jxkfk96fijCoM2oczsQW4Np0HWH2tyAkg9+gJCB3h KScu9RXUr3uYCSoy9zyurEceoGbJWDRvh9B/0BNhY6ywjG+c/+bXAJDDs0pA049g CkpJERsNGhgXgDm+ONgVwxaHDRKlcX6wYTgyWfAw9qOLmhZrQbhfSzt9ebhpd0HL Avv8qpCjtxTx5E9QBAlnDcUCb3cqQkD3/j9y9I4zAtAFoF6oWQ4xqQO8cJqGNPZ/ qztENtA7CKd0bgYEPOuujdWtTnK/s3iww+LRkCuzHNzNneQGeSziZJfB38rlKCLq lZHwCRl0EYrfcjBziwR6LLbpEe2u6vdsQKDfPXHuld+wfgYTTmtxhTVPMy8FKSf5 TuOJZuxQys4= =DwWr -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Summary: The Migration Toolkit for Containers (MTC) 1.6.0 is now available. Description: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Bugs fixed (https://bugzilla.redhat.com/): 1878824 - Web console is not accessible when deployed on OpenShift cluster on IBM Cloud 1887526 - "Stage" pods fail when migrating from classic OpenShift source cluster on IBM Cloud with block storage 1899562 - MigMigration custom resource does not display an error message when a migration fails because of volume mount error 1936886 - Service account token of existing remote cluster cannot be updated by using the web console 1936894 - "Ready" status of MigHook and MigPlan custom resources is not synchronized automatically 1949117 - "Migration plan resources" page displays a permanent error message when a migration plan is deleted from the backend 1951869 - MigPlan custom resource does not detect invalid source cluster reference 1968621 - Paused deployment config causes a migration to hang 1970338 - Parallel migrations fail because the initial backup is missing 1974737 - Migration plan name length in the "Migration plan" wizard is not validated 1975369 - "Debug view" link text on "Migration plans" page can be improved 1975372 - Destination namespace in MigPlan custom resource is not validated 1976895 - Namespace mapping cannot be changed using the Migration Plan wizard 1981810 - "Excluded" resources are not excluded from the migration 1982026 - Direct image migration fails if the source URI contains a double slash ("//") 1994985 - Web console crashes when a MigPlan custom resource is created with an empty namespaces list 1996169 - When "None" is selected as the target storage class in the web console, the setting is ignored and the default storage class is used 1996627 - MigPlan custom resource displays a "PvUsageAnalysisFailed" warning after a successful PVC migration 1996784 - "Migration resources" tree on the "Migration details" page is not displayed 1996902 - "Select all" checkbox on the "Namespaces" page of the "Migration plan" wizard remains selected after a namespace is unselected 1996904 - "Migration" dialogs on the "Migration plans" page display inconsistent capitalization 1996906 - "Migration details" page link is displayed for a migration plan with no associated migrations 1996938 - Search function on "Migration plans" page displays no results 1997051 - Indirect migration from MTC 1.5.1 to 1.6.0 fails during "StageBackup" phase 1997127 - Direct volume migration "retry" feature does not work correctly after a network failure 1997173 - Migration of custom resource definitions to OpenShift Container Platform 4.9 fails because of API version incompatibility 1997180 - "migration-log-reader" pod does not log invalid Rsync options 1997665 - Selected PVCs in the "State migration" dialog are reset because of background polling 1997694 - "Update operator" link on the "Clusters" page is incorrect 1997827 - "Migration plan" wizard displays PVC names incorrectly formatted after running state migration 1998062 - Rsync pod uses upstream image 1998283 - "Migration step details" link on the "Migrations" page does not work 1998550 - "Migration plan" wizard does not support certain screen resolutions 1998581 - "Migration details" link on "Migration plans" page displays "latestIsFailed" error 1999113 - "oc describe" and "oc log" commands on "Migration resources" tree cannot be copied after failed migration 1999381 - MigPlan custom resource displays "Stage completed with warnings" status after successful migration 1999528 - Position of the "Add migration plan" button is different from the other "Add" buttons 1999765 - "Migrate" button on "State migration" dialog is enabled when no PVCs are selected 1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function 2000205 - "Options" menu on the "Migration details" page displays incorrect items 2000218 - Validation incorrectly blocks namespace mapping if a source cluster namespace is the same as the destination namespace 2000243 - "Migration plan" wizard does not allow a migration within the same cluster 2000644 - Invalid migration plan causes "controller" pod to crash 2000875 - State migration status on "Migrations" page displays "Stage succeeded" message 2000979 - "clusterIPs" parameter of "service" object can cause Velero errors 2001089 - Direct volume migration fails because of missing CA path configuration 2001173 - Migration plan requires two clusters 2001786 - Migration fails during "Stage Backup" step because volume path on host not found 2001829 - Migration does not complete when the namespace contains a cron job with a PVC 2001941 - Fixing PVC conflicts in state migration plan using the web console causes the migration to run twice 2002420 - "Stage" pod not created for completed application pod, causing the "mig-controller" to stall 2002608 - Migration of unmounted PVC fails during "StageBackup" phase 2002897 - Rollback migration does not complete when the namespace contains a cron job 2003603 - "View logs" dialog displays the "--selector" option, which does not print all logs 2004601 - Migration plan status on "Migration plans" page is "Ready" after migration completed with warnings 2004923 - Web console displays "New operator version available" notification for incorrect operator 2005143 - Combining Rsync and Stunnel in a single pod can degrade performance 2006316 - Web console cannot create migration plan in a proxy environment 2007175 - Web console cannot be launched in a proxy environment 5. JIRA issues fixed (https://issues.jboss.org/): MIG-785 - Search for "Crane" in the Operator Hub should display the Migration Toolkit for Containers 6. Summary: Red Hat Advanced Cluster Management for Kubernetes 2.1.11 General Availability release images, which provide a security fix and update the container images. Description: Red Hat Advanced Cluster Management for Kubernetes 2.1.11 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains updates to one or more container images for Red Hat Advanced Cluster Management for Kubernetes. Container updates: * RHACM 2.1.11 images (BZ# 1999375) 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To apply this upgrade, you must upgrade your OpenShift Container Platform version to 4.6, or later. Bugs fixed (https://bugzilla.redhat.com/): 1963121 - CVE-2021-23017 nginx: Off-by-one in ngx_resolver_copy() when labels are followed by a pointer to a root domain name 1999375 - RHACM 2.1.11 images 5. Bugs fixed (https://bugzilla.redhat.com/): 1858777 - Alert for VM with 'evictionStrategy: LiveMigrate' for local PVs set 1891921 - virt-launcher is missing /usr/share/zoneinfo directory, making it impossible to set clock offset of timezone type for the guest RTC 1896469 - In cluster with OVN Kubernetes networking - a node doesn't recover when configuring linux-bridge over its default NIC 1903687 - [scale] 1K DV creation failed 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1933043 - Delete VM just after it turns into "running" is very likely to hit grace period end 1935219 - [CNV-2.5] Set memory and CPU request on hco-operator and hco-webhook deployments 1942726 - test automatic bug creation for a new release 1943164 - Node drain: Sometimes source virt-launcher pod status is Failed and not Completed 1945589 - Live migration with virtiofs is possible 1953481 - New OCP priority classes are not used - Deploy 1953483 - New OCP priority classes are not used - SSP 1953484 - New OCP priority classes are not used - Storage 1955129 - Failed to bindmount hotplug-disk for hostpath-provisioner 1957852 - Could not start VM as restore snapshot was still not Complete 1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header 1963963 - hco.kubevirt.io:config-reader role and rolebinding are not strictly reconciled 1965050 - RoleBinding and ClusterRoleBinding brought in by kubevirt does not get reconciled when kind is ServiceAccount 1973852 - Introduce VM crashloop backoff 1976604 - [CNV-5786] IP connectivity is lost after migration (masquerade) 1976730 - Disk is not usable due to incorrect size for proper alignment 1979631 - virt-chroot: container disk validation crash prevents VMI from starting/migrating 1979659 - 4.9.0 containers 1981345 - 4.9.0 rpms 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1985083 - VMI Pod fails to terminate due to a zombie qemu process 1985649 - virt-handler Pod is missing xorrisofs command 1985670 - virt-launcher fails to create v1 controller cpu for group: Read-only file system 1985719 - Unprivileged client fails to get guest agent data 1989176 - kube-cni-linux-bridge-plugin Pod is missing bridge CNI plugin 1989263 - VM Snapshot may freeze guest indefinitely 1989269 - Online VM Snapshot storing incorrect VM spec 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 1991691 - Enable DownwardMetrics FeatureGate via HCO CR 1992608 - kubevirt doesn't respect useEmulation: true 1993121 - Rhel9 templates - provider-url should be updated to https://www.redhat.com/ 1994389 - Some of the cdi resources missing app labels 1995295 - SCC annotation of ssp-operator was changed to privileged 1996407 - [cdi-functional-tests] cdi-docker-registry-host Pod fails to start 1997014 - Common templates - dataVolumeTemplates API version should be updated 1998054 - RHEL9 template - update template description. 1998656 - no "name" label in ssp-operator pod 1999571 - NFS clone not progressing when clone sizes mismatch (target > source) 1999617 - Unable to create a VM with nonroot VirtLauncher Pods 1999835 - ConsoleCLIDownload | wrong path in virtctl archive URL 2000052 - NNCP creation failures after nmstate-handler pod deletion 2000204 - [4.9.0] [RFE] volumeSnapshotStatuses reason does not check for volume type that do not support snapshots 2001041 - [4.9.0] Importer attempts to shrink an image in certain situations 2001047 - Automatic size detection may not request a PVC that is large enough for an import 2003473 - Failed to Migrate Windows VM with CDROM (readonly) 2005695 - With descheduler during multiple VMIs migrations, some VMs are restarted 2006418 - Clone Strategy does not work as described 2008900 - Eviction of not live migratable VMs due to virt-launcher upgrade can happen outside the upgrade window 2010742 - [CNV-4.9] VMI is in LiveMigrate loop when Upgrading Cluster from 2.6.7/4.7.32 to OCP 4.8.13 2011179 - Cluster-wide live migration limits and timeouts are not suitable 2017394 - After upgrade, live migration is Pending 2018521 - [Storage] Failed to restore VirtualMachineSnapshot after CNV upgrade 5. Bugs fixed (https://bugzilla.redhat.com/): 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet 1998844 - virt-handler Pod is missing xorrisofs command 2008522 - "unable to execute QEMU agent command 'guest-get-users'" logs in virt-launcher pod every 10 seconds 2010334 - VM is not able to be migrated after failed migration 2012328 - 2.6.8 containers 2013494 - [CNV-2.6.8] VMI is in LiveMigrate loop when Upgrading Cluster from 2.6.7/4.7.32 to OCP 4.8.13 5. These flaws may allow remote attackers to obtain sensitive information, leak authentication or cookie header data or facilitate a denial of service attack. For the stable distribution (bullseye), these problems have been fixed in version 7.74.0-1.3+deb11u2. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmLoBaNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTf9A//VWkco2gxCMMe8JDcL9sLD0B5L8KGRxbPBYmpE1l2kCpiW9QGVwCN3q2K i8xo0jmRxSwSXDmAE17aTtGT66vU8vQSHewty031TcvWKBoAJpKRTbazfdOy/vDD waofTEaUClFt3NNiR3gigRU6OFV/9MWlUWwCJ/Wgd5osJTQCyWV/iHz3FJluc1Gp rXamYLnWGUJbIZgMFEo7TqIyb91P0PrX4hpnCcnhvY4ci5NWOj2qaoWGhgF+f9gz Uao91GTOnuTyoY3apKzifdO5dih9zJttnRKUgHkn9YCGxanljoPjHRYOavWdN6bE yIpT/Xw2dy05Fzydb73bDurQP+mkyWGZA+S8gxtbY7S7OylRS9iHSfyUpAVEM/Ab SPkGQl6vBKr7dmyHkdIlbViste6kcmhQQete9E3tM18MkyK0NbBiUj+pShNPC+SF REStal14ZE+DSwFKp5UA8izEh0G5RC5VUVhB/jtoxym2rvmIamk5YqCS1rupGP9R 1Y+Jm8CywBrKHl5EzAVUswC5xDAArWdXRvrgHCeElnkwuCwRC8AgRiYFFRulWKwt TV5qveehnzSc2z5IDc/tdiPWNJhJu/blNN8BauG8zmJV4ZhZP9EO1FCLE7DpqQ38 EPtUTMXaMQR1W15He51auBQwJgSiX1II+5jh6PeZTKBKnJgLYNA= =3E71 -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

overflow

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2024-09-17T21:55:56.983000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE