Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1868032 (CVE-2020-8231)
Summary: | CVE-2020-8231 curl: Expired pointer dereference via multi API with CURLOPT_CONNECT_ONLY option set | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | andrew.slice, bodavis, cmoore, cwarfiel, dbhole, erik-fedora, gmccullo, hhorak, hvyas, john.j5live, jorton, kanderso, kaycoth, kdudka, luhliari, mike, msekleta, omajid, paul, rwagner, security-response-team, svashisht |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | curl 7.72.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in libcurl from versions 7.29.0 through 7.71.1. An application that performs multiple requests with libcurl's multi API, and sets the `CURLOPT_CONNECT_ONLY` option, might experience libcurl using the wrong connection. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 20:34:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1869752, 1869753, 1869754, 1870092, 1870093, 1870614, 1870615, 1870629 | ||
Bug Blocks: |
Description
Pedro Sampaio
2020-08-11 13:11:24 UTC
Acknowledgments: Name: the Curl project Upstream: Marc Aldorasi Created curl tracking bugs for this issue: Affects: fedora-all [bug 1870092] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1870093] The patch provided by curl upstream applies on curl-7.71.1 whereas RHEL-7 uses curl-7.29.0, which was released in 2013. 10242 commits landed upstream in between the 7.29.0 release and the commit that fixed CVE-2020-8231. Adapting the fix on a 7 years old code base is a risky task. Bug #1683292 is a good example of what happens when such a backport goes wrong. In this case it is also difficult to verify that backported fix actually works. Is there any reproducer for the security issue in question? This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1610 https://access.redhat.com/errata/RHSA-2021:1610 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8231 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8231 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |