[ubuntu/bionic-security] curl 7.58.0-2ubuntu3.17 (Accepted)
Leonidas S. Barbosa
leo.barbosa at canonical.com
Thu Apr 28 18:30:40 UTC 2022
curl (7.58.0-2ubuntu3.17) bionic-security; urgency=medium
* SECURITY UPDATE: OAUTH2 bypass
- debian/patches/CVE-2022-22576.patch: check sasl additional
parameters for conn resuse in lib/strcase.c, lib/strcase.h,
lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
- CVE-2022-22576
* SECURITY UPDATE: Credential leak on redirect
- debian/patches/CVE-2022-27774-1.patch: store conn_remote_port
in the info struct to make it available after the connection ended
in lib/connect.c, lib/urldata.h.
- debian/patches/CVE-2022-27774-2.patch: redirects to other protocols
or ports clear auth in lib/transfer.c.
- debian/patches/CVE-2022-27774-3*.patch: adds tests to verify
these fix in tests/data/Makefile.inc, tests/data/test973,
tests/data/test974, tests/data/test975, tests/data/test976.
- CVE-2022-27774
* SECURITY UPDATE: Bad local IPV6 connection reuse
- debian/patches/CVE-2022-27775.patch: include the zone id in the
'bundle' haskey in lib/conncache.c.
- CVE-2022-27775
* SECURITY UPDATE: Auth/cookie leak on redirect
- debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects
same host diff port in lib/http.c, lib/urldata.h.
- CVE-2022-27776
Date: 2022-04-27 11:19:10.397933+00:00
Changed-By: leo.barbosa at canonical.com (Leonidas S. Barbosa)
https://launchpad.net/ubuntu/+source/curl/7.58.0-2ubuntu3.17
-------------- next part --------------
Sorry, changesfile not available.
More information about the Bionic-changes
mailing list