Attachment 223811 Details for Bug 254772 – Patch file

[patch] Patch file

security_vuxml_curl.patch (text/plain), 3.58 KB, created by Yasuhiro Kimura on 2021-04-04 22:12:52 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Yasuhiro Kimura

Created: 2021-04-04 22:12:52 UTC

Size: 3.58 KB

patch

obsolete

>diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
>index 98e485c04fae..493c7a2558df 100644
>--- a/security/vuxml/vuln.xml
>+++ b/security/vuxml/vuln.xml
>@@ -78,6 +78,93 @@ Notes:
> * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
>+ <vuln vid="d10fc771-958f-11eb-9c34-080027f515ea">
>+ <topic>curl -- TLS 1.3 session ticket proxy host mixup</topic>
>+ <affects>
>+ <package>
>+	<name>curl</name>
>+	<range><ge>7.63.0</ge><lt>7.76.0</lt></range>
>+ </package>
>+ </affects>
>+ <description>
>+ <body xmlns="http://www.w3.org/1999/xhtml">
>+	Daniel Stenberg reports:
>+	<blockquote cite="https://curl.se/docs/CVE-2021-22890.html">
>+	 
>+	 Enabled by default, libcurl supports the use of TLS 1.3 session
>+	 tickets to resume previous TLS sessions to speed up subsequent
>+	 TLS handshakes.
>+	 
>+	 
>+	 When using a HTTPS proxy and TLS 1.3, libcurl can confuse session
>+	 tickets arriving from the HTTPS proxy but work as if they arrived
>+	 from the remote server and then wrongly "short-cut" the host
>+	 handshake. The reason for this confusion is the modified sequence
>+	 from TLS 1.2 when the session ids would provided only during the
>+	 TLS handshake, while in TLS 1.3 it happens post hand-shake and
>+	 the code was not updated to take that changed behavior into account.
>+	 
>+	 
>+	 When confusing the tickets, a HTTPS proxy can trick libcurl to use
>+	 the wrong session ticket resume for the host and thereby circumvent
>+	 the server TLS certificate check and make a MITM attack to be
>+	 possible to perform unnoticed.
>+	 
>+	 
>+	 This flaw can allow a malicious HTTPS proxy to MITM the traffic.
>+	 Such a malicious HTTPS proxy needs to provide a certificate that
>+	 curl will accept for the MITMed server for an attack to work -
>+	 unless curl has been told to ignore the server certificate check.
>+	 
>+	</blockquote>
>+ </body>
>+ </description>
>+ <references>
>+ <cvename>CVE-2021-22890</cvename>
>+ <url>https://curl.se/docs/CVE-2021-22890.html</url>
>+ </references>
>+ <dates>
>+ <discovery>2021-03-31</discovery>
>+ <entry>2021-04-04</entry>
>+ </dates>
>+ </vuln>
>+
>+ <vuln vid="b1194286-958e-11eb-9c34-080027f515ea">
>+ <topic>curl -- Automatic referer leaks credentials</topic>
>+ <affects>
>+ <package>
>+	<name>curl</name>
>+	<range><ge>7.1.1</ge><lt>7.76.0</lt></range>
>+ </package>
>+ </affects>
>+ <description>
>+ <body xmlns="http://www.w3.org/1999/xhtml">
>+	Daniel Stenberg reports:
>+	<blockquote cite="https://curl.se/docs/CVE-2021-22876.html">
>+	 
>+	 libcurl does not strip off user credentials from the URL when
>+	 automatically populating the Referer: HTTP request header field
>+	 in outgoing HTTP requests, and therefore risks leaking sensitive
>+	 data to the server that is the target of the second HTTP request.
>+	 
>+	 
>+	 libcurl automatically sets the Referer: HTTP request header field
>+	 in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set.
>+	 With the curl tool, it is enabled with --referer ";auto".
>+	 
>+	</blockquote>
>+ </body>
>+ </description>
>+ <references>
>+ <cvename>CVE-2021-22876</cvename>
>+ <url>https://curl.se/docs/CVE-2021-22876.html</url>
>+ </references>
>+ <dates>
>+ <discovery>2021-03-31</discovery>
>+ <entry>2021-04-04</entry>
>+ </dates>
>+ </vuln>
>+
> <vuln vid="1f6d97da-8f72-11eb-b3f1-005056a311d1">
> <topic>samba -- Multiple Vulnerabilities</topic>
> <affects>

Actions: View | Diff

Attachments on bug 254772: 223811 | 223968