Updated curl packages fix security vulnerabilities
Publication date: 31 Dec 2020Modification date: 31 Dec 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-8231 , CVE-2020-8284 , CVE-2020-8285 , CVE-2020-8286
Description
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the
wrong connection when sending data. (CVE-2020-8231).
A malicious server can use the FTP PASV response to trick curl 7.73.0 and
earlier into connecting back to a given IP address and port, and this way
potentially make curl extract information about services that are otherwise
private and not disclosed, for example doing port scanning and service banner
extractions. (CVE-2020-8284).
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion
due to a stack overflow issue in FTP wildcard match parsing. (CVE-2020-8285).
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate
revocation due to insufficient verification of the OCSP response.
(CVE-2020-8286).
References
- https://bugs.mageia.org/show_bug.cgi?id=27154
- https://curl.haxx.se/docs/CVE-2020-8231.html
- https://ubuntu.com/security/notices/USN-4466-1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q7JHSXTQ7EUHJPYL333CB3OBCKHA5FQC/
- https://curl.se/docs/CVE-2020-8284.html
- https://curl.se/docs/CVE-2020-8285.html
- https://curl.se/docs/CVE-2020-8286.html
- https://ubuntu.com/security/notices/USN-4665-1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8231
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8284
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8285
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8286
SRPMS
7/core
- curl-7.71.0-1.1.mga7