Alerts This Week
Warning Icon 1 692
Alerts This Week
Warning Icon 1 692

Mageia 7 Critical Advisory: Curl Security Flaws Affecting Data Exposure

mageia
Calendar Grey December 31, 2020
Dist Mageia Esm H88
New curl updates issued to rectify vulnerabilities found in various versions that could lead to unauthorized data access.
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data

Summary

Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. (CVE-2020-8231).
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. (CVE-2020-8284).
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. (CVE-2020-8285).
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. (CVE-2020-8286).

References

- https://bugs.mageia.org/show_bug.cgi?id=27154

- https://curl.se/docs/CVE-2020-8231.html

- https://ubuntu.com/security/notices/USN-4466-1

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q7JHSXTQ7EUHJPYL333CB3OBCKHA5FQC/

- https://curl.se/docs/CVE-2020-8284.html

- https://curl.se/docs/CVE-2020-8285.html

- https://curl.se/docs/CVE-2020-8286.html

- https://ubuntu.com/security/notices/USN-4665-1

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/

- https://www.cve.org/CVERecord?id=CVE-2020-8231

- https://www.cve.org/CVERecord?id=CVE-2020-8284

- https://www.cve.org/CVERecord?id=CVE-2020-8285

- https://www.cve.org/CVERecord?id=CVE-2020-8286

Topics%20covered

Topics Covered

security advisory critical remote code execution security flaw system update data exposure curl Mageia mageia FTP response

Resolution

SRPMS

- 7/core/curl-7.71.0-1.1.mga7

Severity
critical
Lowest
Low
Medium
High
Critical

Publication date: 31 Dec 2020
URL: https://advisories.mageia.org/MGASA-2020-0482.html
Type: security
CVE: CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286

Topics%20covered

Topics Covered

security advisory critical remote code execution security flaw system update data exposure curl Mageia mageia FTP response

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here