--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2021-1d24845e93
2021-11-03 01:10:35.195931
--------------------------------------------------------------------------------

Name        : curl
Product     : Fedora 35
Version     : 7.79.1
Release     : 1.fc35
URL         : https://curl.se/
Summary     : A utility for getting files from remote servers (FTP, HTTP, and others)
Description :
curl is a command line tool for transferring data with URL syntax, supporting
FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
SMTP, POP3 and RTSP.  curl supports SSL certificates, HTTP POST, HTTP PUT, FTP
uploading, HTTP form based upload, proxies, cookies, user+password
authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer
resume, proxy tunneling and a busload of other useful tricks.

--------------------------------------------------------------------------------
Update Information:

- update to latest upstream bugfix release  ----  new upstream release, which
fixes the following vulnerabilities:  * CVE-2021-22947 - STARTTLS protocol
injection via MITM * CVE-2021-22946 - protocol downgrade required TLS bypassed *
CVE-2021-22945 - use-after-free and double-free in MQTT sending
--------------------------------------------------------------------------------
ChangeLog:

* Wed Sep 22 2021 Kamil Dudka  - 7.79.1-1
- new upstream release
* Thu Sep 16 2021 Kamil Dudka  - 7.79.0-4
- fix regression in http2 implementation introduced in the last release
* Thu Sep 16 2021 Sahana Prasad  - 7.79.0-3
- Rebuilt with OpenSSL 3.0.0
* Thu Sep 16 2021 Kamil Dudka  - 7.79.0-2
- make SCP/SFTP tests work with openssh-8.7p1
* Wed Sep 15 2021 Kamil Dudka  - 7.79.0-1
- new upstream release, which fixes the following vulnerabilities
    CVE-2021-22947 - STARTTLS protocol injection via MITM
    CVE-2021-22946 - protocol downgrade required TLS bypassed
    CVE-2021-22945 - use-after-free and double-free in MQTT sending
* Tue Sep 14 2021 Sahana Prasad  - 7.78.0-4
- Rebuilt with OpenSSL 3.0.0
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #2004362 - CVE-2021-22945 curl: use-after-free and double-free in MQTT sending [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2004362
  [ 2 ] Bug #2004363 - CVE-2021-22947 curl: STARTTLS protocol injection via MITM [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2004363
  [ 3 ] Bug #2004374 - curl-7.79.0 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2004374
  [ 4 ] Bug #2004927 - CVE-2021-22946 curl: protocol downgrade required TLS bypassed [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=2004927
  [ 5 ] Bug #2006653 - curl-7.79.1 is available
        https://bugzilla.redhat.com/show_bug.cgi?id=2006653
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-1d24845e93' at the command
line. For more information, refer to the dnf documentation available at
https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure