Security update for curl SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:2249-1 Final 1 1 2020-12-14T17:26:21Z current 2020-12-14T17:26:21Z 2020-12-14T17:26:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-2249 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/W7TJUGEIZONXKJD6DWVYASM2KTYWZ6RI/ E-Mail link for openSUSE-SU-2020:2249-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1179398 SUSE Bug 1179398 https://bugzilla.suse.com/1179399 SUSE Bug 1179399 https://bugzilla.suse.com/1179593 SUSE Bug 1179593 https://www.suse.com/security/cve/CVE-2020-8284/ SUSE CVE CVE-2020-8284 page https://www.suse.com/security/cve/CVE-2020-8285/ SUSE CVE CVE-2020-8285 page https://www.suse.com/security/cve/CVE-2020-8286/ SUSE CVE CVE-2020-8286 page openSUSE Leap 15.1 curl-7.60.0-lp151.5.18.1 curl-mini-7.60.0-lp151.5.18.1 libcurl-devel-7.60.0-lp151.5.18.1 libcurl-devel-32bit-7.60.0-lp151.5.18.1 libcurl-mini-devel-7.60.0-lp151.5.18.1 libcurl4-7.60.0-lp151.5.18.1 libcurl4-32bit-7.60.0-lp151.5.18.1 libcurl4-mini-7.60.0-lp151.5.18.1 curl-7.60.0-lp151.5.18.1 as a component of openSUSE Leap 15.1 curl-mini-7.60.0-lp151.5.18.1 as a component of openSUSE Leap 15.1 libcurl-devel-7.60.0-lp151.5.18.1 as a component of openSUSE Leap 15.1 libcurl-devel-32bit-7.60.0-lp151.5.18.1 as a component of openSUSE Leap 15.1 libcurl-mini-devel-7.60.0-lp151.5.18.1 as a component of openSUSE Leap 15.1 libcurl4-7.60.0-lp151.5.18.1 as a component of openSUSE Leap 15.1 libcurl4-32bit-7.60.0-lp151.5.18.1 as a component of openSUSE Leap 15.1 libcurl4-mini-7.60.0-lp151.5.18.1 as a component of openSUSE Leap 15.1 A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. CVE-2020-8284 openSUSE Leap 15.1:curl-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:curl-mini-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl-devel-32bit-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl-devel-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl-mini-devel-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl4-32bit-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl4-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl4-mini-7.60.0-lp151.5.18.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/W7TJUGEIZONXKJD6DWVYASM2KTYWZ6RI/ https://www.suse.com/security/cve/CVE-2020-8284.html CVE-2020-8284 https://bugzilla.suse.com/1179398 SUSE Bug 1179398 https://bugzilla.suse.com/1179399 SUSE Bug 1179399 https://bugzilla.suse.com/1186108 SUSE Bug 1186108 curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. CVE-2020-8285 openSUSE Leap 15.1:curl-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:curl-mini-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl-devel-32bit-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl-devel-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl-mini-devel-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl4-32bit-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl4-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl4-mini-7.60.0-lp151.5.18.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/W7TJUGEIZONXKJD6DWVYASM2KTYWZ6RI/ https://www.suse.com/security/cve/CVE-2020-8285.html CVE-2020-8285 https://bugzilla.suse.com/1179399 SUSE Bug 1179399 https://bugzilla.suse.com/1186108 SUSE Bug 1186108 curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. CVE-2020-8286 openSUSE Leap 15.1:curl-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:curl-mini-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl-devel-32bit-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl-devel-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl-mini-devel-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl4-32bit-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl4-7.60.0-lp151.5.18.1 openSUSE Leap 15.1:libcurl4-mini-7.60.0-lp151.5.18.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/W7TJUGEIZONXKJD6DWVYASM2KTYWZ6RI/ https://www.suse.com/security/cve/CVE-2020-8286.html CVE-2020-8286 https://bugzilla.suse.com/1179593 SUSE Bug 1179593 https://bugzilla.suse.com/1186108 SUSE Bug 1186108