[ubuntu/bionic-security] curl 7.58.0-2ubuntu3.17 (Accepted)

Leonidas S. Barbosa leo.barbosa at canonical.com
Thu Apr 28 18:30:40 UTC 2022


curl (7.58.0-2ubuntu3.17) bionic-security; urgency=medium

  * SECURITY UPDATE: OAUTH2 bypass
    - debian/patches/CVE-2022-22576.patch: check sasl additional
      parameters for conn resuse in lib/strcase.c, lib/strcase.h,
      lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
    - CVE-2022-22576
  * SECURITY UPDATE: Credential leak on redirect
    - debian/patches/CVE-2022-27774-1.patch: store conn_remote_port
      in the info struct to make it available after the connection ended
      in lib/connect.c, lib/urldata.h.
    - debian/patches/CVE-2022-27774-2.patch: redirects to other protocols
      or ports clear auth in lib/transfer.c.
    - debian/patches/CVE-2022-27774-3*.patch: adds tests to verify
      these fix in tests/data/Makefile.inc, tests/data/test973,
      tests/data/test974, tests/data/test975, tests/data/test976.
    - CVE-2022-27774
  * SECURITY UPDATE: Bad local IPV6 connection reuse
    - debian/patches/CVE-2022-27775.patch: include the zone id in the
      'bundle' haskey in lib/conncache.c.
    - CVE-2022-27775
  * SECURITY UPDATE: Auth/cookie leak on redirect
    - debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects
      same host diff port in lib/http.c, lib/urldata.h.
    - CVE-2022-27776

Date: 2022-04-27 11:19:10.397933+00:00
Changed-By: leo.barbosa at canonical.com (Leonidas S. Barbosa)
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.17
-------------- next part --------------
Sorry, changesfile not available.


More information about the Bionic-changes mailing list