curl-7.84.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12214 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z curl-7.84.0-1.1 on GA media These are all security issues fixed in the curl-7.84.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12214 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12214 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-32205/ SUSE CVE CVE-2022-32205 page https://www.suse.com/security/cve/CVE-2022-32206/ SUSE CVE CVE-2022-32206 page https://www.suse.com/security/cve/CVE-2022-32207/ SUSE CVE CVE-2022-32207 page https://www.suse.com/security/cve/CVE-2022-32208/ SUSE CVE CVE-2022-32208 page openSUSE Tumbleweed curl-7.84.0-1.1 libcurl-devel-7.84.0-1.1 libcurl-devel-32bit-7.84.0-1.1 libcurl4-7.84.0-1.1 libcurl4-32bit-7.84.0-1.1 curl-7.84.0-1.1 as a component of openSUSE Tumbleweed libcurl-devel-7.84.0-1.1 as a component of openSUSE Tumbleweed libcurl-devel-32bit-7.84.0-1.1 as a component of openSUSE Tumbleweed libcurl4-7.84.0-1.1 as a component of openSUSE Tumbleweed libcurl4-32bit-7.84.0-1.1 as a component of openSUSE Tumbleweed A malicious server can serve excessive amounts of `Set-Cookie:` headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larger than the threshold that curl uses internally to avoid sending crazy large requests (1048576 bytes) and instead returns an error.This denial state might remain for as long as the same cookies are kept, match and haven't expired. Due to cookie matching rules, a server on `foo.example.com` can set cookies that also would match for `bar.example.com`, making it it possible for a "sister server" to effectively cause a denial of service for a sibling site on the same second level domain using this method. CVE-2022-32205 openSUSE Tumbleweed:curl-7.84.0-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-7.84.0-1.1 openSUSE Tumbleweed:libcurl-devel-7.84.0-1.1 openSUSE Tumbleweed:libcurl4-32bit-7.84.0-1.1 openSUSE Tumbleweed:libcurl4-7.84.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-32205.html CVE-2022-32205 https://bugzilla.suse.com/1200734 SUSE Bug 1200734 curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors. CVE-2022-32206 openSUSE Tumbleweed:curl-7.84.0-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-7.84.0-1.1 openSUSE Tumbleweed:libcurl-devel-7.84.0-1.1 openSUSE Tumbleweed:libcurl4-32bit-7.84.0-1.1 openSUSE Tumbleweed:libcurl4-7.84.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-32206.html CVE-2022-32206 https://bugzilla.suse.com/1200735 SUSE Bug 1200735 https://bugzilla.suse.com/1207992 SUSE Bug 1207992 When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended. CVE-2022-32207 openSUSE Tumbleweed:curl-7.84.0-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-7.84.0-1.1 openSUSE Tumbleweed:libcurl-devel-7.84.0-1.1 openSUSE Tumbleweed:libcurl4-32bit-7.84.0-1.1 openSUSE Tumbleweed:libcurl4-7.84.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-32207.html CVE-2022-32207 https://bugzilla.suse.com/1200736 SUSE Bug 1200736 When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. CVE-2022-32208 openSUSE Tumbleweed:curl-7.84.0-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-7.84.0-1.1 openSUSE Tumbleweed:libcurl-devel-7.84.0-1.1 openSUSE Tumbleweed:libcurl4-32bit-7.84.0-1.1 openSUSE Tumbleweed:libcurl4-7.84.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-32208.html CVE-2022-32208 https://bugzilla.suse.com/1200737 SUSE Bug 1200737