What Are You Looking For?

Sign Up
MGASA-2023-0263 - Updated curl packages fix security vulnerability

Publication date: 24 Sep 2023
URL: https://advisories.mageia.org/MGASA-2023-0263.html
Type: security
Affected Mageia releases: 8, 9
CVE: CVE-2023-27533,
     CVE-2023-27534,
     CVE-2023-27535,
     CVE-2023-27536,
     CVE-2023-27537,
     CVE-2023-27538,
     CVE-2023-28319,
     CVE-2023-28320,
     CVE-2023-28321,
     CVE-2023-28322,
     CVE-2023-38039

TELNET option IAC injection. (CVE-2023-27533)

SFTP path ~ resolving discrepancy. (CVE-2023-27534)

FTP too eager connection reuse. (CVE-2023-27535)

GSS delegation too eager connection re-use. (CVE-2023-27536)

HSTS double free. (CVE-2023-27537)

SSH connection too eager reuse still. (CVE-2023-27538)

UAF in SSH sha256 fingerprint check. (CVE-2023-28319)

siglongjmp race condition. (CVE-2023-28320)

IDN wildcard match. (CVE-2023-28321)

more POST-after-PUT confusion. (CVE-2023-28322)

HTTP headers eat all memory. (CVE-2023-38039)

References:
- https://bugs.mageia.org/show_bug.cgi?id=31703
- https://curl.se/docs/CVE-2023-27533.html
- https://curl.se/docs/CVE-2023-27534.html
- https://curl.se/docs/CVE-2023-27535.html
- https://curl.se/docs/CVE-2023-27536.html
- https://curl.se/docs/CVE-2023-27537.html
- https://curl.se/docs/CVE-2023-27538.html
- https://ubuntu.com/security/notices/USN-5964-1
- https://curl.se/docs/CVE-2023-28319.html
- https://curl.se/docs/CVE-2023-28320.html
- https://curl.se/docs/CVE-2023-28321.html
- https://curl.se/docs/CVE-2023-28322.html
- https://lists.suse.com/pipermail/sle-security-updates/2023-May/014913.html
- https://curl.se/docs/CVE-2023-32001.html
- https://curl.se/docs/CVE-2023-38039.html
- https://ubuntu.com/security/notices/USN-6363-1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27533
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27534
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27535
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27536
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27537
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27538
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28319
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28320
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28321
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28322
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38039

SRPMS:
- 8/core/curl-7.74.0-1.13.mga8
- 9/core/curl-7.88.1-3.1.mga9

Mageia 2023-0263: curl security update

TELNET option IAC injection

Summary

TELNET option IAC injection. (CVE-2023-27533)
SFTP path ~ resolving discrepancy. (CVE-2023-27534)
FTP too eager connection reuse. (CVE-2023-27535)
GSS delegation too eager connection re-use. (CVE-2023-27536)
HSTS double free. (CVE-2023-27537)
SSH connection too eager reuse still. (CVE-2023-27538)
UAF in SSH sha256 fingerprint check. (CVE-2023-28319)
siglongjmp race condition. (CVE-2023-28320)
IDN wildcard match. (CVE-2023-28321)
more POST-after-PUT confusion. (CVE-2023-28322)
HTTP headers eat all memory. (CVE-2023-38039)

References

- https://bugs.mageia.org/show_bug.cgi?id=31703

- https://curl.se/docs/CVE-2023-27533.html

- https://curl.se/docs/CVE-2023-27534.html

- https://curl.se/docs/CVE-2023-27535.html

- https://curl.se/docs/CVE-2023-27536.html

- https://curl.se/docs/CVE-2023-27537.html

- https://curl.se/docs/CVE-2023-27538.html

- https://ubuntu.com/security/notices/USN-5964-1

- https://curl.se/docs/CVE-2023-28319.html

- https://curl.se/docs/CVE-2023-28320.html

- https://curl.se/docs/CVE-2023-28321.html

- https://curl.se/docs/CVE-2023-28322.html

- https://lists.suse.com/pipermail/sle-security-updates/2023-May/014913.html

- https://curl.se/docs/CVE-2023-32001.html

- https://curl.se/docs/CVE-2023-38039.html

- https://ubuntu.com/security/notices/USN-6363-1

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27533

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27534

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27535

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27536

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27537

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27538

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28319

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28320

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28321

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28322

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38039

Resolution

MGASA-2023-0263 - Updated curl packages fix security vulnerability

SRPMS

- 8/core/curl-7.74.0-1.13.mga8

- 9/core/curl-7.88.1-3.1.mga9

Severity
Publication date: 24 Sep 2023
URL: https://advisories.mageia.org/MGASA-2023-0263.html
Type: security
CVE: CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536, CVE-2023-27537, CVE-2023-27538, CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322, CVE-2023-38039

Related News

New CacheWarp AMD CPU attack lets hackers gain root in Linux VMs

Nov 15, 2023

Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution

Jun 30, 2023

Proposed Linux Patch Would Allow Disabling CPU Security Mitigations At Build-Time

Feb 13, 2023

News

Advisories

HOWTOs

Features

Empowering MSPs with Straightforward Linux Device Management
A Complete Guide to Torrenting Safely in 2024
Cloud Security Basics for Small Businesses
Scanning and Defending Networks with Nmap
CISA Issues Urgent Warning Over Active Exploitation of Looney Tunables glibc Bug

About Us

Powered By

Footer Logo