Security update for curl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:1786-1 Final 1 1 2021-05-27T14:45:51Z current 2021-05-27T14:45:51Z 2021-05-27T14:45:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl fixes the following issues: - CVE-2021-22898: TELNET stack contents disclosure (bsc#1186114) - CVE-2021-22876: The automatic referer leaks credentials (bsc#1183933) - CVE-2020-8286: Inferior OCSP verification (bsc#1179593) - CVE-2020-8285: FTP wildcard stack overflow (bsc#1179399) - CVE-2020-8284: Trusting FTP PASV responses (bsc#1179398) - CVE-2020-8231: libcurl will pick and use the wrong connection with multiple requests with libcurl's multi API and the 'CURLOPT_CONNECT_ONLY' option (bsc#1175109) - Fix: SFTP uploads result in empty uploaded files (bsc#1177976) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/sles12sp4:latest-2021-1786,Image SLES12-SP4-Azure-BYOS-2021-1786,Image SLES12-SP4-EC2-HVM-BYOS-2021-1786,Image SLES12-SP4-GCE-BYOS-2021-1786,Image SLES12-SP4-SAP-Azure-2021-1786,Image SLES12-SP4-SAP-Azure-BYOS-2021-1786,Image SLES12-SP4-SAP-Azure-LI-BYOS-Production-2021-1786,Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production-2021-1786,Image SLES12-SP4-SAP-EC2-HVM-2021-1786,Image SLES12-SP4-SAP-EC2-HVM-BYOS-2021-1786,Image SLES12-SP4-SAP-GCE-2021-1786,Image SLES12-SP4-SAP-GCE-BYOS-2021-1786,SUSE-2021-1786,SUSE-OpenStack-Cloud-9-2021-1786,SUSE-OpenStack-Cloud-Crowbar-9-2021-1786,SUSE-SLE-SAP-12-SP4-2021-1786,SUSE-SLE-SERVER-12-SP4-LTSS-2021-1786 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20211786-1/ Link for SUSE-SU-2021:1786-1 https://lists.suse.com/pipermail/sle-security-updates/2021-May/008879.html E-Mail link for SUSE-SU-2021:1786-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1175109 SUSE Bug 1175109 https://bugzilla.suse.com/1177976 SUSE Bug 1177976 https://bugzilla.suse.com/1179398 SUSE Bug 1179398 https://bugzilla.suse.com/1179399 SUSE Bug 1179399 https://bugzilla.suse.com/1179593 SUSE Bug 1179593 https://bugzilla.suse.com/1183933 SUSE Bug 1183933 https://bugzilla.suse.com/1186114 SUSE Bug 1186114 https://www.suse.com/security/cve/CVE-2020-8231/ SUSE CVE CVE-2020-8231 page https://www.suse.com/security/cve/CVE-2020-8284/ SUSE CVE CVE-2020-8284 page https://www.suse.com/security/cve/CVE-2020-8285/ SUSE CVE CVE-2020-8285 page https://www.suse.com/security/cve/CVE-2020-8286/ SUSE CVE CVE-2020-8286 page https://www.suse.com/security/cve/CVE-2021-22876/ SUSE CVE CVE-2021-22876 page https://www.suse.com/security/cve/CVE-2021-22898/ SUSE CVE CVE-2021-22898 page Container suse/sles12sp4:latest Image SLES12-SP4-Azure-BYOS Image SLES12-SP4-EC2-HVM-BYOS Image SLES12-SP4-GCE-BYOS Image SLES12-SP4-SAP-Azure Image SLES12-SP4-SAP-Azure-BYOS Image SLES12-SP4-SAP-Azure-LI-BYOS-Production Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production Image SLES12-SP4-SAP-EC2-HVM Image SLES12-SP4-SAP-EC2-HVM-BYOS Image SLES12-SP4-SAP-GCE Image SLES12-SP4-SAP-GCE-BYOS SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 libcurl4-7.60.0-4.20.1 curl-7.60.0-4.20.1 curl-mini-7.60.0-4.20.1 libcurl-devel-7.60.0-4.20.1 libcurl-devel-32bit-7.60.0-4.20.1 libcurl-devel-64bit-7.60.0-4.20.1 libcurl-mini-devel-7.60.0-4.20.1 libcurl4-32bit-7.60.0-4.20.1 libcurl4-64bit-7.60.0-4.20.1 libcurl4-mini-7.60.0-4.20.1 libcurl4-7.60.0-4.20.1 as a component of Container suse/sles12sp4:latest curl-7.60.0-4.20.1 as a component of Image SLES12-SP4-Azure-BYOS libcurl4-7.60.0-4.20.1 as a component of Image SLES12-SP4-Azure-BYOS curl-7.60.0-4.20.1 as a component of Image SLES12-SP4-EC2-HVM-BYOS libcurl4-7.60.0-4.20.1 as a component of Image SLES12-SP4-EC2-HVM-BYOS curl-7.60.0-4.20.1 as a component of Image SLES12-SP4-GCE-BYOS libcurl4-7.60.0-4.20.1 as a component of Image SLES12-SP4-GCE-BYOS curl-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-Azure libcurl4-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-Azure curl-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-Azure-BYOS libcurl4-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-Azure-BYOS curl-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-Azure-LI-BYOS-Production libcurl4-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-Azure-LI-BYOS-Production curl-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production libcurl4-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production curl-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-EC2-HVM libcurl4-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-EC2-HVM curl-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-EC2-HVM-BYOS libcurl4-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-EC2-HVM-BYOS curl-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-GCE libcurl4-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-GCE curl-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-GCE-BYOS libcurl4-7.60.0-4.20.1 as a component of Image SLES12-SP4-SAP-GCE-BYOS curl-7.60.0-4.20.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS libcurl4-7.60.0-4.20.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS libcurl4-32bit-7.60.0-4.20.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS curl-7.60.0-4.20.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 libcurl4-7.60.0-4.20.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 libcurl4-32bit-7.60.0-4.20.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 curl-7.60.0-4.20.1 as a component of SUSE OpenStack Cloud 9 libcurl4-7.60.0-4.20.1 as a component of SUSE OpenStack Cloud 9 libcurl4-32bit-7.60.0-4.20.1 as a component of SUSE OpenStack Cloud 9 curl-7.60.0-4.20.1 as a component of SUSE OpenStack Cloud Crowbar 9 libcurl4-7.60.0-4.20.1 as a component of SUSE OpenStack Cloud Crowbar 9 libcurl4-32bit-7.60.0-4.20.1 as a component of SUSE OpenStack Cloud Crowbar 9 Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. CVE-2020-8231 Container suse/sles12sp4:latest:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-Azure-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-Azure-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-EC2-HVM-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-EC2-HVM-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-GCE-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-GCE-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE:libcurl4-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.20.1 SUSE OpenStack Cloud 9:curl-7.60.0-4.20.1 SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.20.1 SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.20.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211786-1/ https://www.suse.com/security/cve/CVE-2020-8231.html CVE-2020-8231 https://bugzilla.suse.com/1175109 SUSE Bug 1175109 https://bugzilla.suse.com/1179399 SUSE Bug 1179399 https://bugzilla.suse.com/1186108 SUSE Bug 1186108 A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. CVE-2020-8284 Container suse/sles12sp4:latest:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-Azure-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-Azure-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-EC2-HVM-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-EC2-HVM-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-GCE-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-GCE-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE:libcurl4-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.20.1 SUSE OpenStack Cloud 9:curl-7.60.0-4.20.1 SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.20.1 SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.20.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211786-1/ https://www.suse.com/security/cve/CVE-2020-8284.html CVE-2020-8284 https://bugzilla.suse.com/1179398 SUSE Bug 1179398 https://bugzilla.suse.com/1179399 SUSE Bug 1179399 https://bugzilla.suse.com/1186108 SUSE Bug 1186108 curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. CVE-2020-8285 Container suse/sles12sp4:latest:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-Azure-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-Azure-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-EC2-HVM-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-EC2-HVM-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-GCE-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-GCE-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE:libcurl4-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.20.1 SUSE OpenStack Cloud 9:curl-7.60.0-4.20.1 SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.20.1 SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.20.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211786-1/ https://www.suse.com/security/cve/CVE-2020-8285.html CVE-2020-8285 https://bugzilla.suse.com/1179399 SUSE Bug 1179399 https://bugzilla.suse.com/1186108 SUSE Bug 1186108 curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. CVE-2020-8286 Container suse/sles12sp4:latest:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-Azure-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-Azure-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-EC2-HVM-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-EC2-HVM-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-GCE-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-GCE-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE:libcurl4-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.20.1 SUSE OpenStack Cloud 9:curl-7.60.0-4.20.1 SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.20.1 SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.20.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211786-1/ https://www.suse.com/security/cve/CVE-2020-8286.html CVE-2020-8286 https://bugzilla.suse.com/1179593 SUSE Bug 1179593 https://bugzilla.suse.com/1186108 SUSE Bug 1186108 curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. CVE-2021-22876 Container suse/sles12sp4:latest:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-Azure-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-Azure-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-EC2-HVM-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-EC2-HVM-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-GCE-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-GCE-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE:libcurl4-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.20.1 SUSE OpenStack Cloud 9:curl-7.60.0-4.20.1 SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.20.1 SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.20.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211786-1/ https://www.suse.com/security/cve/CVE-2021-22876.html CVE-2021-22876 https://bugzilla.suse.com/1183933 SUSE Bug 1183933 curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol. CVE-2021-22898 Container suse/sles12sp4:latest:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-Azure-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-Azure-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-EC2-HVM-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-EC2-HVM-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-GCE-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-GCE-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-LI-BYOS-Production:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure-VLI-BYOS-Production:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-Azure:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-EC2-HVM:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE-BYOS:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE-BYOS:libcurl4-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE:curl-7.60.0-4.20.1 Image SLES12-SP4-SAP-GCE:libcurl4-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:curl-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-32bit-7.60.0-4.20.1 SUSE Linux Enterprise Server 12 SP4-LTSS:libcurl4-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:curl-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-32bit-7.60.0-4.20.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:libcurl4-7.60.0-4.20.1 SUSE OpenStack Cloud 9:curl-7.60.0-4.20.1 SUSE OpenStack Cloud 9:libcurl4-32bit-7.60.0-4.20.1 SUSE OpenStack Cloud 9:libcurl4-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:curl-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-32bit-7.60.0-4.20.1 SUSE OpenStack Cloud Crowbar 9:libcurl4-7.60.0-4.20.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211786-1/ https://www.suse.com/security/cve/CVE-2021-22898.html CVE-2021-22898 https://bugzilla.suse.com/1186114 SUSE Bug 1186114 https://bugzilla.suse.com/1192450 SUSE Bug 1192450