rpm package

suse/curl&distro=SUSE Linux Enterprise Server for SAP Applications 12 SP4

pkg:rpm/suse/curl&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4

Vulnerabilities (38)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2021-22924		—	< 7.60.0-4.25.1	7.60.0-4.25.1	Aug 5, 2021	libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively
CVE-2021-22923		—	< 7.60.0-4.25.1	7.60.0-4.25.1	Aug 5, 2021	When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents
CVE-2021-22898	Low	3.1	< 7.60.0-4.20.1	7.60.0-4.20.1	Jun 11, 2021	curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could
CVE-2021-22876		—	< 7.60.0-4.20.1	7.60.0-4.20.1	Apr 1, 2021	curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP
CVE-2020-8285	Hig	7.5	< 7.60.0-4.20.1	7.60.0-4.20.1	Dec 14, 2020	curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
CVE-2020-8284	Low	3.7	< 7.60.0-4.20.1	7.60.0-4.20.1	Dec 14, 2020	A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanni
CVE-2020-8177	Hig	7.8	< 7.60.0-4.15.2	7.60.0-4.15.2	Dec 14, 2020	curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
CVE-2020-8286		—	< 7.60.0-4.20.1	7.60.0-4.20.1	Dec 14, 2020	curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
CVE-2020-8231		—	< 7.60.0-4.20.1	7.60.0-4.20.1	Dec 14, 2020	Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.
CVE-2019-5482	Cri	9.8	< 7.60.0-4.9.1	7.60.0-4.9.1	Sep 16, 2019	Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-5481	Cri	9.8	< 7.60.0-4.9.1	7.60.0-4.9.1	Sep 16, 2019	Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5436	Hig	7.8	< 7.60.0-4.6.1	7.60.0-4.6.1	May 28, 2019	A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.
CVE-2019-3823		—	< 7.60.0-4.3.1	7.60.0-4.3.1	Feb 6, 2019	libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5,
CVE-2019-3822		—	< 7.60.0-4.3.1	7.60.0-4.3.1	Feb 6, 2019	libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received
CVE-2018-16890		—	< 7.60.0-4.3.1	7.60.0-4.3.1	Feb 6, 2019	libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulne
CVE-2018-16842		—	< 7.60.0-4.3.1	7.60.0-4.3.1	Oct 31, 2018	Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.
CVE-2018-16840		—	< 7.60.0-4.3.1	7.60.0-4.3.1	Oct 31, 2018	A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and mi
CVE-2018-16839		—	< 7.60.0-4.3.1	7.60.0-4.3.1	Oct 31, 2018	Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.

CVE-2021-22924Aug 5, 2021
affected < 7.60.0-4.25.1fixed 7.60.0-4.25.1
libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively
CVE-2021-22923Aug 5, 2021
affected < 7.60.0-4.25.1fixed 7.60.0-4.25.1
When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents
CVE-2021-22898LowJun 11, 2021
affected < 7.60.0-4.20.1fixed 7.60.0-4.20.1
curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could
CVE-2021-22876Apr 1, 2021
affected < 7.60.0-4.20.1fixed 7.60.0-4.20.1
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP
CVE-2020-8285HigDec 14, 2020
affected < 7.60.0-4.20.1fixed 7.60.0-4.20.1
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing.
CVE-2020-8284LowDec 14, 2020
affected < 7.60.0-4.20.1fixed 7.60.0-4.20.1
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanni
CVE-2020-8177HigDec 14, 2020
affected < 7.60.0-4.15.2fixed 7.60.0-4.15.2
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.
CVE-2020-8286Dec 14, 2020
affected < 7.60.0-4.20.1fixed 7.60.0-4.20.1
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response.
CVE-2020-8231Dec 14, 2020
affected < 7.60.0-4.20.1fixed 7.60.0-4.20.1
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data.
CVE-2019-5482CriSep 16, 2019
affected < 7.60.0-4.9.1fixed 7.60.0-4.9.1
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-5481CriSep 16, 2019
affected < 7.60.0-4.9.1fixed 7.60.0-4.9.1
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5436HigMay 28, 2019
affected < 7.60.0-4.6.1fixed 7.60.0-4.6.1
A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.
CVE-2019-3823Feb 6, 2019
affected < 7.60.0-4.3.1fixed 7.60.0-4.3.1
libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5,
CVE-2019-3822Feb 6, 2019
affected < 7.60.0-4.3.1fixed 7.60.0-4.3.1
libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header (`lib/vauth/ntlm.c:Curl_auth_create_ntlm_type3_message()`), generates the request HTTP header contents based on previously received
CVE-2018-16890Feb 6, 2019
affected < 7.60.0-4.3.1fixed 7.60.0-4.3.1
libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulne
CVE-2018-16842Oct 31, 2018
affected < 7.60.0-4.3.1fixed 7.60.0-4.3.1
Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.
CVE-2018-16840Oct 31, 2018
affected < 7.60.0-4.3.1fixed 7.60.0-4.3.1
A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. When closing and cleaning up an 'easy' handle in the `Curl_close()` function, the library code first frees a struct (without nulling the pointer) and mi
CVE-2018-16839Oct 31, 2018
affected < 7.60.0-4.3.1fixed 7.60.0-4.3.1
Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.

Page 2 of 2