Red Hat Enterprise Linux 8 RHSA-2021:1610-01 Moderate: Curl Security Update

red hat

May 18, 2021

An update for curl is now available for Red Hat Enterprise Linux 8

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.
Security Fix(es):
* curl: FTP PASV command response can cause curl to connect to arbitrary host (CVE-2020-8284)
* curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used (CVE-2020-8285)
* curl: Inferior OCSP verification (CVE-2020-8286)
* curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set (CVE-2020-8231)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section.

Topics Covered

security advisory security update security issue bug fix Red Hat Enterprise Linux moderate severity curl FTP issue FTP

References

https://access.redhat.com/security/cve/CVE-2020-8231 https://access.redhat.com/security/cve/CVE-2020-8284 https://access.redhat.com/security/cve/CVE-2020-8285 https://access.redhat.com/security/cve/CVE-2020-8286 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/

Package List

Red Hat Enterprise Linux BaseOS (v. 8):
Source: curl-7.61.1-18.el8.src.rpm
aarch64: curl-7.61.1-18.el8.aarch64.rpm curl-debuginfo-7.61.1-18.el8.aarch64.rpm curl-debugsource-7.61.1-18.el8.aarch64.rpm curl-minimal-debuginfo-7.61.1-18.el8.aarch64.rpm libcurl-7.61.1-18.el8.aarch64.rpm libcurl-debuginfo-7.61.1-18.el8.aarch64.rpm libcurl-devel-7.61.1-18.el8.aarch64.rpm libcurl-minimal-7.61.1-18.el8.aarch64.rpm libcurl-minimal-debuginfo-7.61.1-18.el8.aarch64.rpm
ppc64le: curl-7.61.1-18.el8.ppc64le.rpm curl-debuginfo-7.61.1-18.el8.ppc64le.rpm curl-debugsource-7.61.1-18.el8.ppc64le.rpm curl-minimal-debuginfo-7.61.1-18.el8.ppc64le.rpm libcurl-7.61.1-18.el8.ppc64le.rpm libcurl-debuginfo-7.61.1-18.el8.ppc64le.rpm libcurl-devel-7.61.1-18.el8.ppc64le.rpm libcurl-minimal-7.61.1-18.el8.ppc64le.rpm libcurl-minimal-debuginfo-7.61.1-18.el8.ppc64le.rpm
s390x: curl-7.61.1-18.el8.s390x.rpm curl-debuginfo-7.61.1-18.el8.s390x.rpm curl-debugsource-7.61.1-18.el8.s390x.rpm curl-minimal-debuginfo-7.61.1-18.el8.s390x.rpm libcurl-7.61.1-18.el8.s390x.rpm libcurl-debuginfo-7.61.1-18.el8.s390x.rpm libcurl-devel-7.61.1-18.el8.s390x.rpm libcurl-minimal-7.61.1-18.el8.s390x.rpm libcurl-minimal-debuginfo-7.61.1-18.el8.s390x.rpm
x86_64: curl-7.61.1-18.el8.x86_64.rpm

Read the Full Advisory

Severity

important

Lowest

Low

Medium

High

Critical

Advisory ID: RHSA-2021:1610-01

Product: Red Hat Enterprise Linux

Advisory URL: https://access.redhat.com/errata/RHSA-2021:1610

Issue date: 2021-05-18

Topic

An update for curl is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics Covered

security advisory security update security issue bug fix Red Hat Enterprise Linux moderate severity curl FTP issue FTP

Relevant Releases Architectures

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

Bugs Fixed

1868032 - CVE-2020-8231 curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set

1873327 - libcurl: Segfault when HTTPS_PROXY and NO_PROXY is used together

1895391 - multiarch conflicts in libcurl-minimal

1902667 - CVE-2020-8284 curl: FTP PASV command response can cause curl to connect to arbitrary host

1902687 - CVE-2020-8285 curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used

1906096 - CVE-2020-8286 curl: Inferior OCSP verification

1918692 - Body dropped from POST request when using proxy with NTLM authentication

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Red Hat Enterprise Linux 8 RHSA-2021:1610-01 Moderate: Curl Security Update

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Red Hat Enterprise Linux 8 RHSA-2021:1610-01 Moderate: Curl Security Update

Solution

Summary

Topics Covered

References

Package List

Topic

Topics Covered

Relevant Releases Architectures

Bugs Fixed

Get the latest News and Insights

Related Articles

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!