Security update for curl SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0510-1 Final 1 1 2021-04-04T22:05:55Z current 2021-04-04T22:05:55Z 2021-04-04T22:05:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl fixes the following issues: - CVE-2021-22890: TLS 1.3 session ticket proxy host mixup (bsc#1183934) - CVE-2021-22876: Automatic referer leaks credentials (bsc#1183933) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-510 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HDAO4Q3JZASM6AK274RF74JN2GJOK5UE/ E-Mail link for openSUSE-SU-2021:0510-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1183933 SUSE Bug 1183933 https://bugzilla.suse.com/1183934 SUSE Bug 1183934 https://www.suse.com/security/cve/CVE-2021-22876/ SUSE CVE CVE-2021-22876 page https://www.suse.com/security/cve/CVE-2021-22890/ SUSE CVE CVE-2021-22890 page openSUSE Leap 15.2 curl-7.66.0-lp152.3.15.1 curl-mini-7.66.0-lp152.3.15.1 libcurl-devel-7.66.0-lp152.3.15.1 libcurl-devel-32bit-7.66.0-lp152.3.15.1 libcurl-mini-devel-7.66.0-lp152.3.15.1 libcurl4-7.66.0-lp152.3.15.1 libcurl4-32bit-7.66.0-lp152.3.15.1 libcurl4-mini-7.66.0-lp152.3.15.1 curl-7.66.0-lp152.3.15.1 as a component of openSUSE Leap 15.2 curl-mini-7.66.0-lp152.3.15.1 as a component of openSUSE Leap 15.2 libcurl-devel-7.66.0-lp152.3.15.1 as a component of openSUSE Leap 15.2 libcurl-devel-32bit-7.66.0-lp152.3.15.1 as a component of openSUSE Leap 15.2 libcurl-mini-devel-7.66.0-lp152.3.15.1 as a component of openSUSE Leap 15.2 libcurl4-7.66.0-lp152.3.15.1 as a component of openSUSE Leap 15.2 libcurl4-32bit-7.66.0-lp152.3.15.1 as a component of openSUSE Leap 15.2 libcurl4-mini-7.66.0-lp152.3.15.1 as a component of openSUSE Leap 15.2 curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. CVE-2021-22876 openSUSE Leap 15.2:curl-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:curl-mini-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:libcurl-devel-32bit-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:libcurl-devel-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:libcurl-mini-devel-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:libcurl4-32bit-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:libcurl4-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:libcurl4-mini-7.66.0-lp152.3.15.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HDAO4Q3JZASM6AK274RF74JN2GJOK5UE/ https://www.suse.com/security/cve/CVE-2021-22876.html CVE-2021-22876 https://bugzilla.suse.com/1183933 SUSE Bug 1183933 curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check. CVE-2021-22890 openSUSE Leap 15.2:curl-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:curl-mini-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:libcurl-devel-32bit-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:libcurl-devel-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:libcurl-mini-devel-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:libcurl4-32bit-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:libcurl4-7.66.0-lp152.3.15.1 openSUSE Leap 15.2:libcurl4-mini-7.66.0-lp152.3.15.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HDAO4Q3JZASM6AK274RF74JN2GJOK5UE/ https://www.suse.com/security/cve/CVE-2021-22890.html CVE-2021-22890 https://bugzilla.suse.com/1183934 SUSE Bug 1183934