curl-8.7.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13805 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z curl-8.7.1-1.1 on GA media These are all security issues fixed in the curl-8.7.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13805 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13805 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-2004/ SUSE CVE CVE-2024-2004 page https://www.suse.com/security/cve/CVE-2024-2379/ SUSE CVE CVE-2024-2379 page https://www.suse.com/security/cve/CVE-2024-2398/ SUSE CVE CVE-2024-2398 page https://www.suse.com/security/cve/CVE-2024-2466/ SUSE CVE CVE-2024-2466 page openSUSE Tumbleweed curl-8.7.1-1.1 libcurl-devel-8.7.1-1.1 libcurl-devel-32bit-8.7.1-1.1 libcurl4-8.7.1-1.1 libcurl4-32bit-8.7.1-1.1 curl-8.7.1-1.1 as a component of openSUSE Tumbleweed libcurl-devel-8.7.1-1.1 as a component of openSUSE Tumbleweed libcurl-devel-32bit-8.7.1-1.1 as a component of openSUSE Tumbleweed libcurl4-8.7.1-1.1 as a component of openSUSE Tumbleweed libcurl4-32bit-8.7.1-1.1 as a component of openSUSE Tumbleweed When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug. CVE-2024-2004 openSUSE Tumbleweed:curl-8.7.1-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-8.7.1-1.1 openSUSE Tumbleweed:libcurl-devel-8.7.1-1.1 openSUSE Tumbleweed:libcurl4-32bit-8.7.1-1.1 openSUSE Tumbleweed:libcurl4-8.7.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-2004.html CVE-2024-2004 https://bugzilla.suse.com/1221665 SUSE Bug 1221665 libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems. CVE-2024-2379 openSUSE Tumbleweed:curl-8.7.1-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-8.7.1-1.1 openSUSE Tumbleweed:libcurl-devel-8.7.1-1.1 openSUSE Tumbleweed:libcurl4-32bit-8.7.1-1.1 openSUSE Tumbleweed:libcurl4-8.7.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-2379.html CVE-2024-2379 https://bugzilla.suse.com/1221666 SUSE Bug 1221666 When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. CVE-2024-2398 openSUSE Tumbleweed:curl-8.7.1-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-8.7.1-1.1 openSUSE Tumbleweed:libcurl-devel-8.7.1-1.1 openSUSE Tumbleweed:libcurl4-32bit-8.7.1-1.1 openSUSE Tumbleweed:libcurl4-8.7.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-2398.html CVE-2024-2398 https://bugzilla.suse.com/1221667 SUSE Bug 1221667 libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc). CVE-2024-2466 openSUSE Tumbleweed:curl-8.7.1-1.1 openSUSE Tumbleweed:libcurl-devel-32bit-8.7.1-1.1 openSUSE Tumbleweed:libcurl-devel-8.7.1-1.1 openSUSE Tumbleweed:libcurl4-32bit-8.7.1-1.1 openSUSE Tumbleweed:libcurl4-8.7.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-2466.html CVE-2024-2466 https://bugzilla.suse.com/1221668 SUSE Bug 1221668