curl-8.5.0-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13509 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z curl-8.5.0-1.1 on GA media These are all security issues fixed in the curl-8.5.0-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13509 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13509 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-46218/ SUSE CVE CVE-2023-46218 page https://www.suse.com/security/cve/CVE-2023-46219/ SUSE CVE CVE-2023-46219 page openSUSE Tumbleweed curl-8.5.0-1.1 libcurl-devel-8.5.0-1.1 libcurl-devel-32bit-8.5.0-1.1 libcurl4-8.5.0-1.1 libcurl4-32bit-8.5.0-1.1 curl-8.5.0-1.1 as a component of openSUSE Tumbleweed libcurl-devel-8.5.0-1.1 as a component of openSUSE Tumbleweed libcurl-devel-32bit-8.5.0-1.1 as a component of openSUSE Tumbleweed libcurl4-8.5.0-1.1 as a component of openSUSE Tumbleweed libcurl4-32bit-8.5.0-1.1 as a component of openSUSE Tumbleweed This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain. CVE-2023-46218 openSUSE Tumbleweed:curl-8.5.0-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-8.5.0-1.1 openSUSE Tumbleweed:libcurl-devel-8.5.0-1.1 openSUSE Tumbleweed:libcurl4-32bit-8.5.0-1.1 openSUSE Tumbleweed:libcurl4-8.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-46218.html CVE-2023-46218 https://bugzilla.suse.com/1217573 SUSE Bug 1217573 When saving HSTS data to an excessively long file name, curl could end up removing all contents, making subsequent requests using that file unaware of the HSTS status they should otherwise use. CVE-2023-46219 openSUSE Tumbleweed:curl-8.5.0-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-8.5.0-1.1 openSUSE Tumbleweed:libcurl-devel-8.5.0-1.1 openSUSE Tumbleweed:libcurl4-32bit-8.5.0-1.1 openSUSE Tumbleweed:libcurl4-8.5.0-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-46219.html CVE-2023-46219 https://bugzilla.suse.com/1217574 SUSE Bug 1217574