curl-7.88.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12735 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z curl-7.88.1-1.1 on GA media These are all security issues fixed in the curl-7.88.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12735 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12735 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-23914/ SUSE CVE CVE-2023-23914 page https://www.suse.com/security/cve/CVE-2023-23915/ SUSE CVE CVE-2023-23915 page https://www.suse.com/security/cve/CVE-2023-23916/ SUSE CVE CVE-2023-23916 page openSUSE Tumbleweed curl-7.88.1-1.1 libcurl-devel-7.88.1-1.1 libcurl-devel-32bit-7.88.1-1.1 libcurl4-7.88.1-1.1 libcurl4-32bit-7.88.1-1.1 curl-7.88.1-1.1 as a component of openSUSE Tumbleweed libcurl-devel-7.88.1-1.1 as a component of openSUSE Tumbleweed libcurl-devel-32bit-7.88.1-1.1 as a component of openSUSE Tumbleweed libcurl4-7.88.1-1.1 as a component of openSUSE Tumbleweed libcurl4-32bit-7.88.1-1.1 as a component of openSUSE Tumbleweed A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on. CVE-2023-23914 openSUSE Tumbleweed:curl-7.88.1-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-7.88.1-1.1 openSUSE Tumbleweed:libcurl-devel-7.88.1-1.1 openSUSE Tumbleweed:libcurl4-32bit-7.88.1-1.1 openSUSE Tumbleweed:libcurl4-7.88.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-23914.html CVE-2023-23914 https://bugzilla.suse.com/1207990 SUSE Bug 1207990 https://bugzilla.suse.com/1207991 SUSE Bug 1207991 A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then *not* get upgraded properly to HSTS. CVE-2023-23915 openSUSE Tumbleweed:curl-7.88.1-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-7.88.1-1.1 openSUSE Tumbleweed:libcurl-devel-7.88.1-1.1 openSUSE Tumbleweed:libcurl4-32bit-7.88.1-1.1 openSUSE Tumbleweed:libcurl4-7.88.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-23915.html CVE-2023-23915 https://bugzilla.suse.com/1207991 SUSE Bug 1207991 An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors. CVE-2023-23916 openSUSE Tumbleweed:curl-7.88.1-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-7.88.1-1.1 openSUSE Tumbleweed:libcurl-devel-7.88.1-1.1 openSUSE Tumbleweed:libcurl4-32bit-7.88.1-1.1 openSUSE Tumbleweed:libcurl4-7.88.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-23916.html CVE-2023-23916 https://bugzilla.suse.com/1207992 SUSE Bug 1207992