Date: Sun, 5 Mar 2023 01:02:54 GMT From: Yasuhiro Kimura <yasu@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: d27d971cca05 - main - security/vuxml: Document multiple vulnerabilities in curl Message-ID: <202303050102.32512sOU035633@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by yasu: URL: https://cgit.FreeBSD.org/ports/commit/?id=d27d971cca05ec54857e60cfa81cfe9b7d1702c0 commit d27d971cca05ec54857e60cfa81cfe9b7d1702c0 Author: Yasuhiro Kimura <yasu@FreeBSD.org> AuthorDate: 2023-03-05 00:13:06 +0000 Commit: Yasuhiro Kimura <yasu@FreeBSD.org> CommitDate: 2023-03-05 01:02:16 +0000 security/vuxml: Document multiple vulnerabilities in curl --- security/vuxml/vuln/2023.xml | 73 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index a7553027e0a6..1252eb39342f 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,76 @@ + <vuln vid="be233fc6-bae7-11ed-a4fb-080027f5fec9"> + <topic>curl -- multiple vulnerabilities</topic> + <affects> + <package> + <name>curl</name> + <range><lt>7.88.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Harry Sintonen and Patrick Monnerat report:</p> + <blockquote cite="https://curl.se/docs/security.html">; + <dl> + <dt>CVE-2023-23914</dt> + <dd> + A cleartext transmission of sensitive information + vulnerability exists in curl < v7.88.0 that could + cause HSTS functionality fail when multiple URLs are + requested serially. Using its HSTS support, curl can be + instructed to use HTTPS instead of using an insecure + clear-text HTTP step even when HTTP is provided in the + URL. This HSTS mechanism would however surprisingly be + ignored by subsequent transfers when done on the same + command line because the state would not be properly + carried on. + </dd> + <dt>CVE-2023-23915</dt> + <dd> + A cleartext transmission of sensitive information + vulnerability exists in curl < v7.88.0 that could + cause HSTS functionality to behave incorrectly when + multiple URLs are requested in parallel. Using its HSTS + support, curl can be instructed to use HTTPS instead of + using an insecure clear-text HTTP step even when HTTP is + provided in the URL. This HSTS mechanism would however + surprisingly fail when multiple transfers are done in + parallel as the HSTS cache file gets overwritten by the + most recently completed transfer. A later HTTP-only + transfer to the earlier host name would then *not* get + upgraded properly to HSTS. + </dd> + <dt>CVE-2023-23916</dt> + <dd> + An allocation of resources without limits or throttling + vulnerability exists in curl < v7.88.0 based on the + "chained" HTTP compression algorithms, meaning + that a server response can be compressed multiple times + and potentially with different algorithms. The number of + acceptable "links" in this "decompression + chain" was capped, but the cap was implemented on a + per-header basis allowing a malicious server to insert a + virtually unlimited number of compression steps simply + by using many headers. The use of such a decompression + chain could result in a "malloc bomb", making + curl end up spending enormous amounts of allocated heap + memory, or trying to and returning out of memory errors. + </dd> + </dl> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-23914</cvename> + <cvename>CVE-2023-23915</cvename> + <cvename>CVE-2023-23916</cvename> + <url>https://curl.se/docs/security.html</url>; + </references> + <dates> + <discovery>2023-02-15</discovery> + <entry>2023-03-05</entry> + </dates> + </vuln> + <vuln vid="3f9b6943-ba58-11ed-bbbd-00e0670f2660"> <topic>strongSwan -- certificate verification vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202303050102.32512sOU035633>