[gentoo-announce] [ GLSA 202212-01 ] curl: Multiple Vulnerabilities - gentoo-announce

From:	glsamaker@g.o
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202212-01 ] curl: Multiple Vulnerabilities
Date:	Mon, 19 Dec 2022 02:08:47
Message-Id:	`167141518877.8.13537138535868681407@2ac734cbf5a7`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202212-01

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: curl: Multiple Vulnerabilities

9

     Date: December 19, 2022

10

     Bugs: #803308, #813270, #841302, #843824, #854708, #867679, #878365

11

       ID: 202212-01

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in curl, the worst of which

19

could result in arbitrary code execution.

20

21

Background

22

==========

23

24

A command line tool and library for transferring data with URLs.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  net-misc/curl              < 7.86.0                    >= 7.86.0

33

34

Description

35

===========

36

37

Multiple vulnerabilities have been discovered in curl. Please review the

38

CVE identifiers referenced below for details.

39

40

Impact

41

======

42

43

Please review the referenced CVE identifiers for details.

44

45

Workaround

46

==========

47

48

There is no known workaround at this time.

49

50

Resolution

51

==========

52

53

All curl users should upgrade to the latest version:

54

55

  # emerge --sync

56

  # emerge --ask --oneshot --verbose ">=net-misc/curl-7.86.0"

57

58

References

59

==========

60

61

[ 1 ] CVE-2021-22922

62

      https://nvd.nist.gov/vuln/detail/CVE-2021-22922

63

[ 2 ] CVE-2021-22923

64

      https://nvd.nist.gov/vuln/detail/CVE-2021-22923

65

[ 3 ] CVE-2021-22925

66

      https://nvd.nist.gov/vuln/detail/CVE-2021-22925

67

[ 4 ] CVE-2021-22926

68

      https://nvd.nist.gov/vuln/detail/CVE-2021-22926

69

[ 5 ] CVE-2021-22945

70

      https://nvd.nist.gov/vuln/detail/CVE-2021-22945

71

[ 6 ] CVE-2021-22946

72

      https://nvd.nist.gov/vuln/detail/CVE-2021-22946

73

[ 7 ] CVE-2021-22947

74

      https://nvd.nist.gov/vuln/detail/CVE-2021-22947

75

[ 8 ] CVE-2022-22576

76

      https://nvd.nist.gov/vuln/detail/CVE-2022-22576

77

[ 9 ] CVE-2022-27774

78

      https://nvd.nist.gov/vuln/detail/CVE-2022-27774

79

[ 10 ] CVE-2022-27775

80

      https://nvd.nist.gov/vuln/detail/CVE-2022-27775

81

[ 11 ] CVE-2022-27776

82

      https://nvd.nist.gov/vuln/detail/CVE-2022-27776

83

[ 12 ] CVE-2022-27779

84

      https://nvd.nist.gov/vuln/detail/CVE-2022-27779

85

[ 13 ] CVE-2022-27780

86

      https://nvd.nist.gov/vuln/detail/CVE-2022-27780

87

[ 14 ] CVE-2022-27781

88

      https://nvd.nist.gov/vuln/detail/CVE-2022-27781

89

[ 15 ] CVE-2022-27782

90

      https://nvd.nist.gov/vuln/detail/CVE-2022-27782

91

[ 16 ] CVE-2022-30115

92

      https://nvd.nist.gov/vuln/detail/CVE-2022-30115

93

[ 17 ] CVE-2022-32205

94

      https://nvd.nist.gov/vuln/detail/CVE-2022-32205

95

[ 18 ] CVE-2022-32206

96

      https://nvd.nist.gov/vuln/detail/CVE-2022-32206

97

[ 19 ] CVE-2022-32207

98

      https://nvd.nist.gov/vuln/detail/CVE-2022-32207

99

[ 20 ] CVE-2022-32208

100

      https://nvd.nist.gov/vuln/detail/CVE-2022-32208

101

[ 21 ] CVE-2022-32221

102

      https://nvd.nist.gov/vuln/detail/CVE-2022-32221

103

[ 22 ] CVE-2022-35252

104

      https://nvd.nist.gov/vuln/detail/CVE-2022-35252

105

[ 23 ] CVE-2022-35260

106

      https://nvd.nist.gov/vuln/detail/CVE-2022-35260

107

[ 24 ] CVE-2022-42915

108

      https://nvd.nist.gov/vuln/detail/CVE-2022-42915

109

[ 25 ] CVE-2022-42916

110

      https://nvd.nist.gov/vuln/detail/CVE-2022-42916

111

112

Availability

113

============

114

115

This GLSA and any updates to it are available for viewing at

116

the Gentoo Security Website:

117

118

 https://security.gentoo.org/glsa/202212-01

119

120

Concerns?

121

=========

122

123

Security is a primary focus of Gentoo Linux and ensuring the

124

confidentiality and security of our users' machines is of utmost

125

importance to us. Any security concerns should be addressed to

126

security@g.o or alternatively, you may file a bug at

127

https://bugs.gentoo.org.

128

129

License

130

=======

131

132

Copyright 2022 Gentoo Foundation, Inc; referenced text

133

belongs to its owner(s).

134

135

The contents of this document are licensed under the

136

Creative Commons - Attribution / Share Alike license.

137

138

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202212-01
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: curl: Multiple Vulnerabilities
9	Date: December 19, 2022
10	Bugs: #803308, #813270, #841302, #843824, #854708, #867679, #878365
11	ID: 202212-01
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in curl, the worst of which
19	could result in arbitrary code execution.
20
21	Background
22	==========
23
24	A command line tool and library for transferring data with URLs.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 net-misc/curl < 7.86.0 >= 7.86.0
33
34	Description
35	===========
36
37	Multiple vulnerabilities have been discovered in curl. Please review the
38	CVE identifiers referenced below for details.
39
40	Impact
41	======
42
43	Please review the referenced CVE identifiers for details.
44
45	Workaround
46	==========
47
48	There is no known workaround at this time.
49
50	Resolution
51	==========
52
53	All curl users should upgrade to the latest version:
54
55	# emerge --sync
56	# emerge --ask --oneshot --verbose ">=net-misc/curl-7.86.0"
57
58	References
59	==========
60
61	[ 1 ] CVE-2021-22922
62	https://nvd.nist.gov/vuln/detail/CVE-2021-22922
63	[ 2 ] CVE-2021-22923
64	https://nvd.nist.gov/vuln/detail/CVE-2021-22923
65	[ 3 ] CVE-2021-22925
66	https://nvd.nist.gov/vuln/detail/CVE-2021-22925
67	[ 4 ] CVE-2021-22926
68	https://nvd.nist.gov/vuln/detail/CVE-2021-22926
69	[ 5 ] CVE-2021-22945
70	https://nvd.nist.gov/vuln/detail/CVE-2021-22945
71	[ 6 ] CVE-2021-22946
72	https://nvd.nist.gov/vuln/detail/CVE-2021-22946
73	[ 7 ] CVE-2021-22947
74	https://nvd.nist.gov/vuln/detail/CVE-2021-22947
75	[ 8 ] CVE-2022-22576
76	https://nvd.nist.gov/vuln/detail/CVE-2022-22576
77	[ 9 ] CVE-2022-27774
78	https://nvd.nist.gov/vuln/detail/CVE-2022-27774
79	[ 10 ] CVE-2022-27775
80	https://nvd.nist.gov/vuln/detail/CVE-2022-27775
81	[ 11 ] CVE-2022-27776
82	https://nvd.nist.gov/vuln/detail/CVE-2022-27776
83	[ 12 ] CVE-2022-27779
84	https://nvd.nist.gov/vuln/detail/CVE-2022-27779
85	[ 13 ] CVE-2022-27780
86	https://nvd.nist.gov/vuln/detail/CVE-2022-27780
87	[ 14 ] CVE-2022-27781
88	https://nvd.nist.gov/vuln/detail/CVE-2022-27781
89	[ 15 ] CVE-2022-27782
90	https://nvd.nist.gov/vuln/detail/CVE-2022-27782
91	[ 16 ] CVE-2022-30115
92	https://nvd.nist.gov/vuln/detail/CVE-2022-30115
93	[ 17 ] CVE-2022-32205
94	https://nvd.nist.gov/vuln/detail/CVE-2022-32205
95	[ 18 ] CVE-2022-32206
96	https://nvd.nist.gov/vuln/detail/CVE-2022-32206
97	[ 19 ] CVE-2022-32207
98	https://nvd.nist.gov/vuln/detail/CVE-2022-32207
99	[ 20 ] CVE-2022-32208
100	https://nvd.nist.gov/vuln/detail/CVE-2022-32208
101	[ 21 ] CVE-2022-32221
102	https://nvd.nist.gov/vuln/detail/CVE-2022-32221
103	[ 22 ] CVE-2022-35252
104	https://nvd.nist.gov/vuln/detail/CVE-2022-35252
105	[ 23 ] CVE-2022-35260
106	https://nvd.nist.gov/vuln/detail/CVE-2022-35260
107	[ 24 ] CVE-2022-42915
108	https://nvd.nist.gov/vuln/detail/CVE-2022-42915
109	[ 25 ] CVE-2022-42916
110	https://nvd.nist.gov/vuln/detail/CVE-2022-42916
111
112	Availability
113	============
114
115	This GLSA and any updates to it are available for viewing at
116	the Gentoo Security Website:
117
118	https://security.gentoo.org/glsa/202212-01
119
120	Concerns?
121	=========
122
123	Security is a primary focus of Gentoo Linux and ensuring the
124	confidentiality and security of our users' machines is of utmost
125	importance to us. Any security concerns should be addressed to
126	security@g.o or alternatively, you may file a bug at
127	https://bugs.gentoo.org.
128
129	License
130	=======
131
132	Copyright 2022 Gentoo Foundation, Inc; referenced text
133	belongs to its owner(s).
134
135	The contents of this document are licensed under the
136	Creative Commons - Attribution / Share Alike license.
137
138	https://creativecommons.org/licenses/by-sa/2.5