Security update for curl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:2230-1 Final 1 1 2023-05-17T08:00:26Z current 2023-05-17T08:00:26Z 2023-05-17T08:00:26Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl fixes the following issues: - CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231). - CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232). - CVE-2023-28322: Fixed POST-after-PUT confusion (bsc#1211233). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-2230,SUSE-SLE-SERVER-12-SP2-BCL-2023-2230 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20232230-1/ Link for SUSE-SU-2023:2230-1 https://lists.suse.com/pipermail/sle-updates/2023-May/029436.html E-Mail link for SUSE-SU-2023:2230-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1211231 SUSE Bug 1211231 https://bugzilla.suse.com/1211232 SUSE Bug 1211232 https://bugzilla.suse.com/1211233 SUSE Bug 1211233 https://bugzilla.suse.com/1211339 SUSE Bug 1211339 https://www.suse.com/security/cve/CVE-2023-28320/ SUSE CVE CVE-2023-28320 page https://www.suse.com/security/cve/CVE-2023-28321/ SUSE CVE CVE-2023-28321 page https://www.suse.com/security/cve/CVE-2023-28322/ SUSE CVE CVE-2023-28322 page SUSE Linux Enterprise Server 12 SP2-BCL curl-7.37.0-37.98.1 libcurl-devel-7.37.0-37.98.1 libcurl-devel-32bit-7.37.0-37.98.1 libcurl-devel-64bit-7.37.0-37.98.1 libcurl4-7.37.0-37.98.1 libcurl4-32bit-7.37.0-37.98.1 libcurl4-64bit-7.37.0-37.98.1 curl-7.37.0-37.98.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libcurl4-7.37.0-37.98.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL libcurl4-32bit-7.37.0-37.98.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL A denial of service vulnerability exists in curl <v8.1.0 in the way libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave. CVE-2023-28320 SUSE Linux Enterprise Server 12 SP2-BCL:curl-7.37.0-37.98.1 SUSE Linux Enterprise Server 12 SP2-BCL:libcurl4-32bit-7.37.0-37.98.1 SUSE Linux Enterprise Server 12 SP2-BCL:libcurl4-7.37.0-37.98.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232230-1/ https://www.suse.com/security/cve/CVE-2023-28320.html CVE-2023-28320 https://bugzilla.suse.com/1211231 SUSE Bug 1211231 https://bugzilla.suse.com/1218210 SUSE Bug 1218210 An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with `xn--` and should not be allowed to pattern match, but the wildcard check in curl could still check for `x*`, which would match even though the IDN name most likely contained nothing even resembling an `x`. CVE-2023-28321 SUSE Linux Enterprise Server 12 SP2-BCL:curl-7.37.0-37.98.1 SUSE Linux Enterprise Server 12 SP2-BCL:libcurl4-32bit-7.37.0-37.98.1 SUSE Linux Enterprise Server 12 SP2-BCL:libcurl4-7.37.0-37.98.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232230-1/ https://www.suse.com/security/cve/CVE-2023-28321.html CVE-2023-28321 https://bugzilla.suse.com/1211232 SUSE Bug 1211232 https://bugzilla.suse.com/1218210 SUSE Bug 1218210 An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST. CVE-2023-28322 SUSE Linux Enterprise Server 12 SP2-BCL:curl-7.37.0-37.98.1 SUSE Linux Enterprise Server 12 SP2-BCL:libcurl4-32bit-7.37.0-37.98.1 SUSE Linux Enterprise Server 12 SP2-BCL:libcurl4-7.37.0-37.98.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20232230-1/ https://www.suse.com/security/cve/CVE-2023-28322.html CVE-2023-28322 https://bugzilla.suse.com/1211233 SUSE Bug 1211233