OESA-2022-1659

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1659
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2022-1659.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2022-1659
Upstream
Published
2022-05-18T11:03:47Z
Modified
2025-08-12T05:12:28.103952Z
Summary
curl security update
Details

cURL is a computer software project providing a library (libcurl) and command-line tool (curl) for transferring data using various protocols.

Security Fix(es):

This security flaw in curl allows to reuse an OAUTH2 authenticated connection without properly ensuring that the connection is authenticated with the same credentials set by this transport, this issue can lead to authentication bypasses, either by mistake or by malicious actors.(CVE-2022-22576)

When asked, curl does an HTTP(S) redirect. curl also supports authentication. When providing a user and password for a URL with a given hostname, curl makes an effort not to pass these credentials to other hosts in redirects unless permissions with special options are granted. This "same host check" has been flawed since its introduction. It does not work with cross-protocol redirection, nor does it treat different port numbers as separate hosts. This results in leaking credentials to other servers when curl redirects from authentication protected HTTP(S) URLs to other protocols and port numbers. It could also leak TLS SRP credentials in this way. By default, curl only allows redirects to HTTP(S) and FTP(S), but you can ask to allow redirects to all curl-supported protocols.(CVE-2022-27774)

This issue with curl occurs due to a logical bug where the configuration matching function does not take into account the IPv6 address zone id, which can cause curl to reuse the wrong connection when one transfer uses the zone id and subsequent transfers use another.(CVE-2022-27775)

This security flaw in curl allows leaking authentication or cookie header data over HTTP to redirect to the same host but a different port number, for applications passing custom Authorization: or Cookie: headers to the same set of headers Sending to servers on different port numbers is a problem, and these headers often contain privacy-sensitive information or data.(CVE-2022-27776)

Database specific 
{
    "severity": "Medium"
}
References

Affected packages

openEuler:20.03-LTS-SP1 / curl

Package

Name
curl
Purl
pkg:rpm/openEuler/curl&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.71.1-13.oe1

Ecosystem specific 

{
    "aarch64": [
        "curl-7.71.1-13.oe1.aarch64.rpm",
        "curl-debuginfo-7.71.1-13.oe1.aarch64.rpm",
        "curl-debugsource-7.71.1-13.oe1.aarch64.rpm",
        "libcurl-7.71.1-13.oe1.aarch64.rpm",
        "libcurl-devel-7.71.1-13.oe1.aarch64.rpm"
    ],
    "noarch": [
        "curl-help-7.71.1-13.oe1.noarch.rpm"
    ],
    "x86_64": [
        "curl-7.71.1-13.oe1.x86_64.rpm",
        "curl-debuginfo-7.71.1-13.oe1.x86_64.rpm",
        "curl-debugsource-7.71.1-13.oe1.x86_64.rpm",
        "libcurl-7.71.1-13.oe1.x86_64.rpm",
        "libcurl-devel-7.71.1-13.oe1.x86_64.rpm"
    ],
    "src": [
        "curl-7.71.1-13.oe1.src.rpm"
    ]
}

openEuler:20.03-LTS-SP3 / curl

Package

Name
curl
Purl
pkg:rpm/openEuler/curl&distro=openEuler-20.03-LTS-SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.71.1-13.oe1

Ecosystem specific 

{
    "aarch64": [
        "curl-7.71.1-13.oe1.aarch64.rpm",
        "curl-debuginfo-7.71.1-13.oe1.aarch64.rpm",
        "curl-debugsource-7.71.1-13.oe1.aarch64.rpm",
        "libcurl-7.71.1-13.oe1.aarch64.rpm",
        "libcurl-devel-7.71.1-13.oe1.aarch64.rpm"
    ],
    "noarch": [
        "curl-help-7.71.1-13.oe1.noarch.rpm"
    ],
    "x86_64": [
        "curl-7.71.1-13.oe1.x86_64.rpm",
        "curl-debuginfo-7.71.1-13.oe1.x86_64.rpm",
        "curl-debugsource-7.71.1-13.oe1.x86_64.rpm",
        "libcurl-7.71.1-13.oe1.x86_64.rpm",
        "libcurl-devel-7.71.1-13.oe1.x86_64.rpm"
    ],
    "src": [
        "curl-7.71.1-13.oe1.src.rpm"
    ]
}

openEuler:22.03-LTS / curl

Package

Name
curl
Purl
pkg:rpm/openEuler/curl&distro=openEuler-22.03-LTS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
7.79.1-4.oe2203

Ecosystem specific 

{
    "aarch64": [
        "curl-7.79.1-4.oe2203.aarch64.rpm",
        "curl-debuginfo-7.79.1-4.oe2203.aarch64.rpm",
        "curl-debugsource-7.79.1-4.oe2203.aarch64.rpm",
        "libcurl-7.79.1-4.oe2203.aarch64.rpm",
        "libcurl-devel-7.79.1-4.oe2203.aarch64.rpm"
    ],
    "noarch": [
        "curl-help-7.79.1-4.oe2203.noarch.rpm"
    ],
    "x86_64": [
        "curl-7.79.1-4.oe2203.x86_64.rpm",
        "curl-debuginfo-7.79.1-4.oe2203.x86_64.rpm",
        "curl-debugsource-7.79.1-4.oe2203.x86_64.rpm",
        "libcurl-7.79.1-4.oe2203.x86_64.rpm",
        "libcurl-devel-7.79.1-4.oe2203.x86_64.rpm"
    ],
    "src": [
        "curl-7.79.1-4.oe2203.src.rpm"
    ]
}