[Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly

Thu, 28 Apr 2022 11:35:49 -0700 

This bug was fixed in the package curl - 7.68.0-1ubuntu2.10

---------------
curl (7.68.0-1ubuntu2.10) focal-security; urgency=medium

  * SECURITY UPDATE: OAUTH2 bypass
    - debian/patches/CVE-2022-22576.patch: check sasl additional
      parameters for conn resuse in lib/strcase.c, lib/strcase.h,
      lib/url.c, lib/urldata.h, lib/vtls/vtls.c.
    - CVE-2022-22576
  * SECURITY UPDATE: Credential leak on redirect
    - debian/patches/CVE-2022-27774-1.patch: store conn_remote_port
      in the info struct to make it available after the connection ended
      in lib/connect.c, lib/urldata.h.
    - debian/patches/CVE-2022-27774-2.patch: redirects to other protocols
      or ports clear auth in lib/transfer.c.
    - debian/patches/CVE-2022-27774-3*.patch: adds tests to verify
      these fix in tests/data/Makefile.inc, tests/data/test973,
      tests/data/test974, tests/data/test975, tests/data/test976.
    - CVE-2022-27774
  * SECURITY UPDATE: Bad local IPV6 connection reuse
    - debian/patches/CVE-2022-27775.patch: include the zone id in the
      'bundle' haskey in lib/conncache.c.
    - CVE-2022-27775
  * SECURITY UPDATE: Auth/cookie leak on redirect
    - debian/patches/CVE-2022-27776.patch: avoid auth/cookie on redirects
      same host diff port in lib/http.c, lib/urldata.h.
    - CVE-2022-27776

 -- Leonidas Da Silva Barbosa <leo.barb...@canonical.com>  Mon, 25 Apr
2022 10:02:10 -0300

** Changed in: curl (Ubuntu Focal)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-22576

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-27774

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-27775

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-27776

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940528

Title:
  curl 7.68 does not init OpenSSL correctly

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to