Date: Sat, 10 Apr 2021 06:31:53 GMT From: Thomas Zander <riggs@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 1e8993822a93 - main - security/vuxml: Document 2 vulnerabilities in ftp/curl Security: CVE-2021-22876 CVE-2021-22890 Message-ID: <202104100631.13A6Vrwp054496@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by riggs: URL: https://cgit.FreeBSD.org/ports/commit/?id=1e8993822a938afd8bd61f5914150ed173a394bb commit 1e8993822a938afd8bd61f5914150ed173a394bb Author: Thomas Zander <riggs@FreeBSD.org> AuthorDate: 2021-04-10 06:24:55 +0000 Commit: Thomas Zander <riggs@FreeBSD.org> CommitDate: 2021-04-10 06:31:41 +0000 security/vuxml: Document 2 vulnerabilities in ftp/curl Security: CVE-2021-22876 CVE-2021-22890 PR: 254772 Reported by: yasu@utahime.org --- security/vuxml/vuln.xml | 87 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 254c63ca2526..6a2eb8116567 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -76,6 +76,93 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="d10fc771-958f-11eb-9c34-080027f515ea"> + <topic>curl -- TLS 1.3 session ticket proxy host mixup</topic> + <affects> + <package> + <name>curl</name> + <range><ge>7.63.0</ge><lt>7.76.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Daniel Stenberg reports:</p> + <blockquote cite="https://curl.se/docs/CVE-2021-22890.html">; + <p> + Enabled by default, libcurl supports the use of TLS 1.3 session + tickets to resume previous TLS sessions to speed up subsequent + TLS handshakes. + </p> + <p> + When using a HTTPS proxy and TLS 1.3, libcurl can confuse session + tickets arriving from the HTTPS proxy but work as if they arrived + from the remote server and then wrongly "short-cut" the host + handshake. The reason for this confusion is the modified sequence + from TLS 1.2 when the session ids would provided only during the + TLS handshake, while in TLS 1.3 it happens post hand-shake and + the code was not updated to take that changed behavior into account. + </p> + <p> + When confusing the tickets, a HTTPS proxy can trick libcurl to use + the wrong session ticket resume for the host and thereby circumvent + the server TLS certificate check and make a MITM attack to be + possible to perform unnoticed. + </p> + <p> + This flaw can allow a malicious HTTPS proxy to MITM the traffic. + Such a malicious HTTPS proxy needs to provide a certificate that + curl will accept for the MITMed server for an attack to work - + unless curl has been told to ignore the server certificate check. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-22890</cvename> + <url>https://curl.se/docs/CVE-2021-22890.html</url>; + </references> + <dates> + <discovery>2021-03-31</discovery> + <entry>2021-04-10</entry> + </dates> + </vuln> + + <vuln vid="b1194286-958e-11eb-9c34-080027f515ea"> + <topic>curl -- Automatic referer leaks credentials</topic> + <affects> + <package> + <name>curl</name> + <range><ge>7.1.1</ge><lt>7.76.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Daniel Stenberg reports:</p> + <blockquote cite="https://curl.se/docs/CVE-2021-22876.html">; + <p> + libcurl does not strip off user credentials from the URL when + automatically populating the Referer: HTTP request header field + in outgoing HTTP requests, and therefore risks leaking sensitive + data to the server that is the target of the second HTTP request. + </p> + <p> + libcurl automatically sets the Referer: HTTP request header field + in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. + With the curl tool, it is enabled with --referer ";auto". + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2021-22876</cvename> + <url>https://curl.se/docs/CVE-2021-22876.html</url>; + </references> + <dates> + <discovery>2021-03-31</discovery> + <entry>2021-04-10</entry> + </dates> + </vuln> + <vuln vid="8ba23a62-997d-11eb-9f0e-0800278d94f0"> <topic>gitea -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104100631.13A6Vrwp054496>