Release Info

Advisory: CLSA-2021:1635459163

OS: Ubuntu 16.04 ELS

Public date: 2021-10-28 00:00:00

Project: curl

Version: 7.47.0-1ubuntu2.23

Errata link: https://errata.cloudlinux.com/ubuntu16-els/CLSA-2021-1635459163.html

Changelog

* SECURITY UPDATE: Protocol downgrade required TLS bypassed - debian/patches/CVE-2021-22946-pre1.patch: separate FTPS from FTP over HTTPS proxy in lib/ftp.c, lib/urldata.h. - debian/patches/CVE-2021-22946-pre2.patch: support PREAUTH response code in lib/imap.c, lib/imap.h, tests/data/Makefile.inc, tests/data/test846. - debian/patches/CVE-2021-22946.patch: do not ignore --ssl-reqd in lib/ftp.c, lib/imap.c, lib/pop3.c, tests/data/Makefile.inc, tests/data/test984, tests/data/test985, tests/data/test986. - CVE-2021-22946 * SECURITY UPDATE: STARTTLS protocol injection via MITM - debian/patches/CVE-2021-22947.patch: reject STARTTLS server response pipelining in lib/ftp.c, lib/imap.c, lib/pop3.c, lib/smtp.c, tests/data/Makefile.inc, tests/data/test980, tests/data/test981, tests/data/test982, tests/data/test983. - CVE-2021-22947

Update

Packages list

curl_7.47.0-1ubuntu2.23_amd64.deb libcurl3_7.47.0-1ubuntu2.23_amd64.deb libcurl3-gnutls_7.47.0-1ubuntu2.23_amd64.deb libcurl3-nss_7.47.0-1ubuntu2.23_amd64.deb libcurl4-doc_7.47.0-1ubuntu2.23_all.deb libcurl4-gnutls-dev_7.47.0-1ubuntu2.23_amd64.deb libcurl4-nss-dev_7.47.0-1ubuntu2.23_amd64.deb libcurl4-openssl-dev_7.47.0-1ubuntu2.23_amd64.deb

CVEs

CVE-2021-22946
CVE-2021-22947