Advisories ยป MGASA-2020-0282

Updated curl packages fix security vulnerability

Publication date: 05 Jul 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-8169 , CVE-2020-8177


Updated curl packages fix security vulnerabilities:

libcurl can be tricked to prepend a part of the password to the host name
before it resolves it, potentially leaking the partial password over the
network and to the DNS server(s) (CVE-2020-8169).

curl can be tricked by a malicious server to overwrite a local file when
using -J (--remote-header-name) and -i (--include) in the same command
line (CVE-2020-8177).

The curl package has been updated to version 7.71.0, fixing these issues
and other bugs.