Advisories » MGASA-2020-0282

Updated curl packages fix security vulnerability

Publication date: 05 Jul 2020
Modification date: 05 Jul 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-8169 , CVE-2020-8177

Description

Updated curl packages fix security vulnerabilities:

libcurl can be tricked to prepend a part of the password to the host name
before it resolves it, potentially leaking the partial password over the
network and to the DNS server(s) (CVE-2020-8169).

curl can be tricked by a malicious server to overwrite a local file when
using -J (--remote-header-name) and -i (--include) in the same command
line (CVE-2020-8177).

The curl package has been updated to version 7.71.0, fixing these issues
and other bugs.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26858
• https://curl.haxx.se/docs/CVE-2020-8169.html
• https://curl.haxx.se/docs/CVE-2020-8177.html
• https://curl.haxx.se/changes.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8169
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8177

SRPMS

7/core

• curl-7.71.0-1.mga7