import curl-7.76.1-14.el9_0.4
This commit is contained in:
parent
b1c2dcdbd7
commit
00d95ea797
148
SOURCES/0010-curl-7.76.1-CVE-2022-22576.patch
Normal file
148
SOURCES/0010-curl-7.76.1-CVE-2022-22576.patch
Normal file
@ -0,0 +1,148 @@
|
|||||||
|
From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Patrick Monnerat <patrick@monnerat.net>
|
||||||
|
Date: Mon, 25 Apr 2022 11:44:05 +0200
|
||||||
|
Subject: [PATCH] url: check sasl additional parameters for connection reuse.
|
||||||
|
|
||||||
|
Also move static function safecmp() as non-static Curl_safecmp() since
|
||||||
|
its purpose is needed at several places.
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-22576.html
|
||||||
|
|
||||||
|
CVE-2022-22576
|
||||||
|
|
||||||
|
Closes #8746
|
||||||
|
|
||||||
|
Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/strcase.c | 10 ++++++++++
|
||||||
|
lib/strcase.h | 2 ++
|
||||||
|
lib/url.c | 13 ++++++++++++-
|
||||||
|
lib/urldata.h | 1 +
|
||||||
|
lib/vtls/vtls.c | 21 ++++++---------------
|
||||||
|
5 files changed, 31 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/strcase.c b/lib/strcase.c
|
||||||
|
index dd46ca1..692a3f1 100644
|
||||||
|
--- a/lib/strcase.c
|
||||||
|
+++ b/lib/strcase.c
|
||||||
|
@@ -251,6 +251,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n)
|
||||||
|
} while(*src++ && --n);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* Compare case-sensitive NUL-terminated strings, taking care of possible
|
||||||
|
+ * null pointers. Return true if arguments match.
|
||||||
|
+ */
|
||||||
|
+bool Curl_safecmp(char *a, char *b)
|
||||||
|
+{
|
||||||
|
+ if(a && b)
|
||||||
|
+ return !strcmp(a, b);
|
||||||
|
+ return !a && !b;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* --- public functions --- */
|
||||||
|
|
||||||
|
int curl_strequal(const char *first, const char *second)
|
||||||
|
diff --git a/lib/strcase.h b/lib/strcase.h
|
||||||
|
index b628656..382b80a 100644
|
||||||
|
--- a/lib/strcase.h
|
||||||
|
+++ b/lib/strcase.h
|
||||||
|
@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in);
|
||||||
|
void Curl_strntoupper(char *dest, const char *src, size_t n);
|
||||||
|
void Curl_strntolower(char *dest, const char *src, size_t n);
|
||||||
|
|
||||||
|
+bool Curl_safecmp(char *a, char *b);
|
||||||
|
+
|
||||||
|
#endif /* HEADER_CURL_STRCASE_H */
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index adef2cd..94e3406 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -768,6 +768,7 @@ static void conn_free(struct connectdata *conn)
|
||||||
|
Curl_safefree(conn->passwd);
|
||||||
|
Curl_safefree(conn->sasl_authzid);
|
||||||
|
Curl_safefree(conn->options);
|
||||||
|
+ Curl_safefree(conn->oauth_bearer);
|
||||||
|
Curl_dyn_free(&conn->trailer);
|
||||||
|
Curl_safefree(conn->host.rawalloc); /* host name buffer */
|
||||||
|
Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */
|
||||||
|
@@ -1310,7 +1311,9 @@ ConnectionExists(struct Curl_easy *data,
|
||||||
|
/* This protocol requires credentials per connection,
|
||||||
|
so verify that we're using the same name and password as well */
|
||||||
|
if(strcmp(needle->user, check->user) ||
|
||||||
|
- strcmp(needle->passwd, check->passwd)) {
|
||||||
|
+ strcmp(needle->passwd, check->passwd) ||
|
||||||
|
+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) ||
|
||||||
|
+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) {
|
||||||
|
/* one of them was different */
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
@@ -3554,6 +3557,14 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if(data->set.str[STRING_BEARER]) {
|
||||||
|
+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]);
|
||||||
|
+ if(!conn->oauth_bearer) {
|
||||||
|
+ result = CURLE_OUT_OF_MEMORY;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
#ifdef USE_UNIX_SOCKETS
|
||||||
|
if(data->set.str[STRING_UNIX_SOCKET_PATH]) {
|
||||||
|
conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]);
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index cc8a600..03da59a 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -991,6 +991,7 @@ struct connectdata {
|
||||||
|
char *passwd; /* password string, allocated */
|
||||||
|
char *options; /* options string, allocated */
|
||||||
|
char *sasl_authzid; /* authorisation identity string, allocated */
|
||||||
|
+ char *oauth_bearer; /* OAUTH2 bearer, allocated */
|
||||||
|
unsigned char httpversion; /* the HTTP version*10 reported by the server */
|
||||||
|
struct curltime now; /* "current" time */
|
||||||
|
struct curltime created; /* creation time */
|
||||||
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||||
|
index 03b85ba..a40ac06 100644
|
||||||
|
--- a/lib/vtls/vtls.c
|
||||||
|
+++ b/lib/vtls/vtls.c
|
||||||
|
@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
|
||||||
|
return !memcmp(first->data, second->data, first->len); /* same data */
|
||||||
|
}
|
||||||
|
|
||||||
|
-static bool safecmp(char *a, char *b)
|
||||||
|
-{
|
||||||
|
- if(a && b)
|
||||||
|
- return !strcmp(a, b);
|
||||||
|
- else if(!a && !b)
|
||||||
|
- return TRUE; /* match */
|
||||||
|
- return FALSE; /* no match */
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
|
||||||
|
bool
|
||||||
|
Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||||
|
@@ -146,12 +137,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||||
|
(data->verifystatus == needle->verifystatus) &&
|
||||||
|
blobcmp(data->cert_blob, needle->cert_blob) &&
|
||||||
|
blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
|
||||||
|
- safecmp(data->CApath, needle->CApath) &&
|
||||||
|
- safecmp(data->CAfile, needle->CAfile) &&
|
||||||
|
- safecmp(data->issuercert, needle->issuercert) &&
|
||||||
|
- safecmp(data->clientcert, needle->clientcert) &&
|
||||||
|
- safecmp(data->random_file, needle->random_file) &&
|
||||||
|
- safecmp(data->egdsocket, needle->egdsocket) &&
|
||||||
|
+ Curl_safecmp(data->CApath, needle->CApath) &&
|
||||||
|
+ Curl_safecmp(data->CAfile, needle->CAfile) &&
|
||||||
|
+ Curl_safecmp(data->issuercert, needle->issuercert) &&
|
||||||
|
+ Curl_safecmp(data->clientcert, needle->clientcert) &&
|
||||||
|
+ Curl_safecmp(data->random_file, needle->random_file) &&
|
||||||
|
+ Curl_safecmp(data->egdsocket, needle->egdsocket) &&
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
|
||||||
|
Curl_safe_strcasecompare(data->curves, needle->curves) &&
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
243
SOURCES/0012-curl-7.76.1-CVE-2022-27776.patch
Normal file
243
SOURCES/0012-curl-7.76.1-CVE-2022-27776.patch
Normal file
@ -0,0 +1,243 @@
|
|||||||
|
From 2be87227d4b4024c91ff6c856520cac9c9619555 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 13:05:40 +0200
|
||||||
|
Subject: [PATCH 1/2] http: avoid auth/cookie on redirects same host diff port
|
||||||
|
|
||||||
|
CVE-2022-27776
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-27776.html
|
||||||
|
Closes #8749
|
||||||
|
|
||||||
|
Upstream-commit: 6e659993952aa5f90f48864be84a1bbb047fc258
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/http.c | 33 +++++++++++++++++++++------------
|
||||||
|
lib/urldata.h | 16 +++++++++-------
|
||||||
|
2 files changed, 30 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/http.c b/lib/http.c
|
||||||
|
index 799d4fb..0791dcf 100644
|
||||||
|
--- a/lib/http.c
|
||||||
|
+++ b/lib/http.c
|
||||||
|
@@ -775,6 +775,21 @@ output_auth_headers(struct Curl_easy *data,
|
||||||
|
return CURLE_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * allow_auth_to_host() tells if autentication, cookies or other "sensitive
|
||||||
|
+ * data" can (still) be sent to this host.
|
||||||
|
+ */
|
||||||
|
+static bool allow_auth_to_host(struct Curl_easy *data)
|
||||||
|
+{
|
||||||
|
+ struct connectdata *conn = data->conn;
|
||||||
|
+ return (!data->state.this_is_a_follow ||
|
||||||
|
+ data->set.allow_auth_to_other_hosts ||
|
||||||
|
+ (data->state.first_host &&
|
||||||
|
+ strcasecompare(data->state.first_host, conn->host.name) &&
|
||||||
|
+ (data->state.first_remote_port == conn->remote_port) &&
|
||||||
|
+ (data->state.first_remote_protocol == conn->handler->protocol)));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* Curl_http_output_auth() setups the authentication headers for the
|
||||||
|
* host/proxy and the correct authentication
|
||||||
|
@@ -847,15 +862,11 @@ Curl_http_output_auth(struct Curl_easy *data,
|
||||||
|
with it */
|
||||||
|
authproxy->done = TRUE;
|
||||||
|
|
||||||
|
- /* To prevent the user+password to get sent to other than the original
|
||||||
|
- host due to a location-follow, we do some weirdo checks here */
|
||||||
|
- if(!data->state.this_is_a_follow ||
|
||||||
|
- conn->bits.netrc ||
|
||||||
|
- !data->state.first_host ||
|
||||||
|
- data->set.allow_auth_to_other_hosts ||
|
||||||
|
- strcasecompare(data->state.first_host, conn->host.name)) {
|
||||||
|
+ /* To prevent the user+password to get sent to other than the original host
|
||||||
|
+ due to a location-follow */
|
||||||
|
+ if(allow_auth_to_host(data)
|
||||||
|
+ || conn->bits.netrc)
|
||||||
|
result = output_auth_headers(data, conn, authhost, request, path, FALSE);
|
||||||
|
- }
|
||||||
|
else
|
||||||
|
authhost->done = TRUE;
|
||||||
|
|
||||||
|
@@ -1906,10 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
|
||||||
|
checkprefix("Cookie:", compare)) &&
|
||||||
|
/* be careful of sending this potentially sensitive header to
|
||||||
|
other hosts */
|
||||||
|
- (data->state.this_is_a_follow &&
|
||||||
|
- data->state.first_host &&
|
||||||
|
- !data->set.allow_auth_to_other_hosts &&
|
||||||
|
- !strcasecompare(data->state.first_host, conn->host.name)))
|
||||||
|
+ !allow_auth_to_host(data))
|
||||||
|
;
|
||||||
|
else {
|
||||||
|
#ifdef USE_HYPER
|
||||||
|
@@ -2081,6 +2089,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn)
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
|
||||||
|
data->state.first_remote_port = conn->remote_port;
|
||||||
|
+ data->state.first_remote_protocol = conn->handler->protocol;
|
||||||
|
}
|
||||||
|
Curl_safefree(data->state.aptr.host);
|
||||||
|
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index 03da59a..f92052a 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -1336,14 +1336,16 @@ struct UrlState {
|
||||||
|
char *ulbuf; /* allocated upload buffer or NULL */
|
||||||
|
curl_off_t current_speed; /* the ProgressShow() function sets this,
|
||||||
|
bytes / second */
|
||||||
|
- char *first_host; /* host name of the first (not followed) request.
|
||||||
|
- if set, this should be the host name that we will
|
||||||
|
- sent authorization to, no else. Used to make Location:
|
||||||
|
- following not keep sending user+password... This is
|
||||||
|
- strdup() data.
|
||||||
|
- */
|
||||||
|
+
|
||||||
|
+ /* host name, port number and protocol of the first (not followed) request.
|
||||||
|
+ if set, this should be the host name that we will sent authorization to,
|
||||||
|
+ no else. Used to make Location: following not keep sending user+password.
|
||||||
|
+ This is strdup()ed data. */
|
||||||
|
+ char *first_host;
|
||||||
|
+ int first_remote_port;
|
||||||
|
+ unsigned int first_remote_protocol;
|
||||||
|
+
|
||||||
|
int retrycount; /* number of retries on a new connection */
|
||||||
|
- int first_remote_port; /* remote port of the first (not followed) request */
|
||||||
|
struct Curl_ssl_session *session; /* array of 'max_ssl_sessions' size */
|
||||||
|
long sessionage; /* number of the most recent session */
|
||||||
|
struct tempbuf tempwrite[3]; /* BOTH, HEADER, BODY */
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From c0d12f1634785596746e5d461319dcb95b5b6ae8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 13:05:47 +0200
|
||||||
|
Subject: [PATCH 2/2] test898: verify the fix for CVE-2022-27776
|
||||||
|
|
||||||
|
Do not pass on Authorization headers on redirects to another port
|
||||||
|
|
||||||
|
Upstream-commit: afe752e0504ab60bf63787ede0b992cbe1065f78
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/Makefile.inc | 2 +-
|
||||||
|
tests/data/test898 | 90 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 91 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 tests/data/test898
|
||||||
|
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index 59d46bc..7ae2cf8 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -106,7 +106,7 @@ test854 test855 test856 test857 test858 test859 test860 test861 test862 \
|
||||||
|
test863 test864 test865 test866 test867 test868 test869 test870 test871 \
|
||||||
|
test872 test873 test874 test875 test876 test877 test878 test879 test880 \
|
||||||
|
test881 test882 test883 test884 test885 test886 test887 test888 test889 \
|
||||||
|
-test890 test891 test892 test893 test894 test895 test896 \
|
||||||
|
+test890 test891 test892 test893 test894 test895 test896 test898 \
|
||||||
|
\
|
||||||
|
test900 test901 test902 test903 test904 test905 test906 test907 test908 \
|
||||||
|
test909 test910 test911 test912 test913 test914 test915 test916 test917 \
|
||||||
|
diff --git a/tests/data/test898 b/tests/data/test898
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..5cbb7d8
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test898
|
||||||
|
@@ -0,0 +1,90 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+--location
|
||||||
|
+Authorization
|
||||||
|
+Cookie
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+</data>
|
||||||
|
+<data2>
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</data2>
|
||||||
|
+
|
||||||
|
+<datacheck>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</datacheck>
|
||||||
|
+
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+HTTP with custom auth and cookies redirected to HTTP on a diff port
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -H "Authorization: Basic am9lOnNlY3JldA==" -H "Cookie: userpwd=am9lOnNlY3JldA=="
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET http://firsthost.com/ HTTP/1.1
|
||||||
|
+Host: firsthost.com
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
|
+Cookie: userpwd=am9lOnNlY3JldA==
|
||||||
|
+
|
||||||
|
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
|
||||||
|
+Host: firsthost.com:9999
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
635
SOURCES/0013-curl-7.76.1-CVE-2022-27774.patch
Normal file
635
SOURCES/0013-curl-7.76.1-CVE-2022-27774.patch
Normal file
@ -0,0 +1,635 @@
|
|||||||
|
From ecee0926868d138312e9608531b232f697e50cad Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
||||||
|
Subject: [PATCH 1/4] connect: store "conn_remote_port" in the info struct
|
||||||
|
|
||||||
|
To make it available after the connection ended.
|
||||||
|
|
||||||
|
Upstream-commit: 08b8ef4e726ba10f45081ecda5b3cea788d3c839
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/connect.c | 1 +
|
||||||
|
lib/urldata.h | 6 +++++-
|
||||||
|
2 files changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/connect.c b/lib/connect.c
|
||||||
|
index 64f9511..7518807 100644
|
||||||
|
--- a/lib/connect.c
|
||||||
|
+++ b/lib/connect.c
|
||||||
|
@@ -619,6 +619,7 @@ void Curl_persistconninfo(struct Curl_easy *data, struct connectdata *conn,
|
||||||
|
data->info.conn_scheme = conn->handler->scheme;
|
||||||
|
data->info.conn_protocol = conn->handler->protocol;
|
||||||
|
data->info.conn_primary_port = conn->port;
|
||||||
|
+ data->info.conn_remote_port = conn->remote_port;
|
||||||
|
data->info.conn_local_port = local_port;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index f92052a..5218f76 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -1167,7 +1167,11 @@ struct PureInfo {
|
||||||
|
reused, in the connection cache. */
|
||||||
|
|
||||||
|
char conn_primary_ip[MAX_IPADR_LEN];
|
||||||
|
- int conn_primary_port;
|
||||||
|
+ int conn_primary_port; /* this is the destination port to the connection,
|
||||||
|
+ which might have been a proxy */
|
||||||
|
+ int conn_remote_port; /* this is the "remote port", which is the port
|
||||||
|
+ number of the used URL, independent of proxy or
|
||||||
|
+ not */
|
||||||
|
char conn_local_ip[MAX_IPADR_LEN];
|
||||||
|
int conn_local_port;
|
||||||
|
const char *conn_scheme;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 12c129f8d0b165d83ed954f68717d88ffc1cfc5f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
||||||
|
Subject: [PATCH 2/4] transfer: redirects to other protocols or ports clear
|
||||||
|
auth
|
||||||
|
|
||||||
|
... unless explicitly permitted.
|
||||||
|
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-27774.html
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Closes #8748
|
||||||
|
|
||||||
|
Upstream-commit: 620ea21410030a9977396b4661806bc187231b79
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/transfer.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++-
|
||||||
|
1 file changed, 48 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/transfer.c b/lib/transfer.c
|
||||||
|
index 1f8019b..752fe14 100644
|
||||||
|
--- a/lib/transfer.c
|
||||||
|
+++ b/lib/transfer.c
|
||||||
|
@@ -1641,10 +1641,57 @@ CURLcode Curl_follow(struct Curl_easy *data,
|
||||||
|
return CURLE_OUT_OF_MEMORY;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
-
|
||||||
|
uc = curl_url_get(data->state.uh, CURLUPART_URL, &newurl, 0);
|
||||||
|
if(uc)
|
||||||
|
return Curl_uc_to_curlcode(uc);
|
||||||
|
+
|
||||||
|
+ /* Clear auth if this redirects to a different port number or protocol,
|
||||||
|
+ unless permitted */
|
||||||
|
+ if(!data->set.allow_auth_to_other_hosts && (type != FOLLOW_FAKE)) {
|
||||||
|
+ char *portnum;
|
||||||
|
+ int port;
|
||||||
|
+ bool clear = FALSE;
|
||||||
|
+
|
||||||
|
+ if(data->set.use_port && data->state.allow_port)
|
||||||
|
+ /* a custom port is used */
|
||||||
|
+ port = (int)data->set.use_port;
|
||||||
|
+ else {
|
||||||
|
+ uc = curl_url_get(data->state.uh, CURLUPART_PORT, &portnum,
|
||||||
|
+ CURLU_DEFAULT_PORT);
|
||||||
|
+ if(uc) {
|
||||||
|
+ free(newurl);
|
||||||
|
+ return Curl_uc_to_curlcode(uc);
|
||||||
|
+ }
|
||||||
|
+ port = atoi(portnum);
|
||||||
|
+ free(portnum);
|
||||||
|
+ }
|
||||||
|
+ if(port != data->info.conn_remote_port) {
|
||||||
|
+ infof(data, "Clear auth, redirects to port from %u to %u",
|
||||||
|
+ data->info.conn_remote_port, port);
|
||||||
|
+ clear = TRUE;
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ char *scheme;
|
||||||
|
+ const struct Curl_handler *p;
|
||||||
|
+ uc = curl_url_get(data->state.uh, CURLUPART_SCHEME, &scheme, 0);
|
||||||
|
+ if(uc) {
|
||||||
|
+ free(newurl);
|
||||||
|
+ return Curl_uc_to_curlcode(uc);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ p = Curl_builtin_scheme(scheme);
|
||||||
|
+ if(p && (p->protocol != data->info.conn_protocol)) {
|
||||||
|
+ infof(data, "Clear auth, redirects scheme from %s to %s",
|
||||||
|
+ data->info.conn_scheme, scheme);
|
||||||
|
+ clear = TRUE;
|
||||||
|
+ }
|
||||||
|
+ free(scheme);
|
||||||
|
+ }
|
||||||
|
+ if(clear) {
|
||||||
|
+ Curl_safefree(data->state.aptr.user);
|
||||||
|
+ Curl_safefree(data->state.aptr.passwd);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
if(type == FOLLOW_FAKE) {
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 83bf4314d88cc16469afeaaefd6686a50371d1b7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 16:24:33 +0200
|
||||||
|
Subject: [PATCH 3/4] tests: verify the fix for CVE-2022-27774
|
||||||
|
|
||||||
|
- Test 973 redirects from HTTP to FTP, clear auth
|
||||||
|
- Test 974 redirects from HTTP to HTTP different port, clear auth
|
||||||
|
- Test 975 redirects from HTTP to FTP, permitted to keep auth
|
||||||
|
- Test 976 redirects from HTTP to HTTP different port, permitted to keep
|
||||||
|
auth
|
||||||
|
|
||||||
|
Upstream-commit: 5295e8d64ac6949ecb3f9e564317a608f51b90d8
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/data/Makefile.inc | 1 +
|
||||||
|
tests/data/test973 | 88 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/data/test974 | 87 ++++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/data/test975 | 88 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
tests/data/test976 | 88 +++++++++++++++++++++++++++++++++++++++++
|
||||||
|
5 files changed, 352 insertions(+)
|
||||||
|
create mode 100644 tests/data/test973
|
||||||
|
create mode 100644 tests/data/test974
|
||||||
|
create mode 100644 tests/data/test975
|
||||||
|
create mode 100644 tests/data/test976
|
||||||
|
|
||||||
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||||
|
index 7ae2cf8..175fc43 100644
|
||||||
|
--- a/tests/data/Makefile.inc
|
||||||
|
+++ b/tests/data/Makefile.inc
|
||||||
|
@@ -116,6 +116,7 @@ test936 test937 test938 test939 test940 test941 test942 test943 test944 \
|
||||||
|
test945 test946 test947 test948 test949 test950 test951 test952 test953 \
|
||||||
|
test954 test955 test956 test957 test958 test959 test960 test961 test962 \
|
||||||
|
test963 test964 test965 test966 test967 test968 test969 test970 test971 \
|
||||||
|
+test973 test974 test975 test976 \
|
||||||
|
\
|
||||||
|
test980 test981 test982 test983 test984 test985 test986 \
|
||||||
|
\
|
||||||
|
diff --git a/tests/data/test973 b/tests/data/test973
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..6ced107
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test973
|
||||||
|
@@ -0,0 +1,88 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+FTP
|
||||||
|
+--location
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+</data>
|
||||||
|
+<data2>
|
||||||
|
+data
|
||||||
|
+ to
|
||||||
|
+ see
|
||||||
|
+that FTP
|
||||||
|
+works
|
||||||
|
+ so does it?
|
||||||
|
+</data2>
|
||||||
|
+
|
||||||
|
+<datacheck>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+data
|
||||||
|
+ to
|
||||||
|
+ see
|
||||||
|
+that FTP
|
||||||
|
+works
|
||||||
|
+ so does it?
|
||||||
|
+</datacheck>
|
||||||
|
+
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+ftp
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+HTTP with auth redirected to FTP w/o auth
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER -L -u joe:secret
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET /%TESTNUMBER HTTP/1.1
|
||||||
|
+Host: %HOSTIP:%HTTPPORT
|
||||||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+
|
||||||
|
+USER anonymous
|
||||||
|
+PASS ftp@example.com
|
||||||
|
+PWD
|
||||||
|
+CWD a
|
||||||
|
+CWD path
|
||||||
|
+EPSV
|
||||||
|
+TYPE I
|
||||||
|
+SIZE %TESTNUMBER0002
|
||||||
|
+RETR %TESTNUMBER0002
|
||||||
|
+QUIT
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
diff --git a/tests/data/test974 b/tests/data/test974
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..ac4e641
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test974
|
||||||
|
@@ -0,0 +1,87 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+--location
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+</data>
|
||||||
|
+<data2>
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</data2>
|
||||||
|
+
|
||||||
|
+<datacheck>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</datacheck>
|
||||||
|
+
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+HTTP with auth redirected to HTTP on a diff port w/o auth
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com -L -u joe:secret
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET http://firsthost.com/ HTTP/1.1
|
||||||
|
+Host: firsthost.com
|
||||||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
|
||||||
|
+Host: firsthost.com:9999
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
diff --git a/tests/data/test975 b/tests/data/test975
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..85e03e4
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test975
|
||||||
|
@@ -0,0 +1,88 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+FTP
|
||||||
|
+--location-trusted
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+</data>
|
||||||
|
+<data2>
|
||||||
|
+data
|
||||||
|
+ to
|
||||||
|
+ see
|
||||||
|
+that FTP
|
||||||
|
+works
|
||||||
|
+ so does it?
|
||||||
|
+</data2>
|
||||||
|
+
|
||||||
|
+<datacheck>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: ftp://%HOSTIP:%FTPPORT/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+data
|
||||||
|
+ to
|
||||||
|
+ see
|
||||||
|
+that FTP
|
||||||
|
+works
|
||||||
|
+ so does it?
|
||||||
|
+</datacheck>
|
||||||
|
+
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+ftp
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+HTTP with auth redirected to FTP allowing auth to continue
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+http://%HOSTIP:%HTTPPORT/%TESTNUMBER --location-trusted -u joe:secret
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET /%TESTNUMBER HTTP/1.1
|
||||||
|
+Host: %HOSTIP:%HTTPPORT
|
||||||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+
|
||||||
|
+USER joe
|
||||||
|
+PASS secret
|
||||||
|
+PWD
|
||||||
|
+CWD a
|
||||||
|
+CWD path
|
||||||
|
+EPSV
|
||||||
|
+TYPE I
|
||||||
|
+SIZE %TESTNUMBER0002
|
||||||
|
+RETR %TESTNUMBER0002
|
||||||
|
+QUIT
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
diff --git a/tests/data/test976 b/tests/data/test976
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..c4dd61e
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/test976
|
||||||
|
@@ -0,0 +1,88 @@
|
||||||
|
+<testcase>
|
||||||
|
+<info>
|
||||||
|
+<keywords>
|
||||||
|
+HTTP
|
||||||
|
+--location-trusted
|
||||||
|
+</keywords>
|
||||||
|
+</info>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Server-side
|
||||||
|
+<reply>
|
||||||
|
+<data>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+</data>
|
||||||
|
+<data2>
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</data2>
|
||||||
|
+
|
||||||
|
+<datacheck>
|
||||||
|
+HTTP/1.1 301 redirect
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 0
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+Location: http://firsthost.com:9999/a/path/%TESTNUMBER0002
|
||||||
|
+
|
||||||
|
+HTTP/1.1 200 OK
|
||||||
|
+Date: Tue, 09 Nov 2010 14:49:00 GMT
|
||||||
|
+Server: test-server/fake
|
||||||
|
+Content-Length: 4
|
||||||
|
+Connection: close
|
||||||
|
+Content-Type: text/html
|
||||||
|
+
|
||||||
|
+hey
|
||||||
|
+</datacheck>
|
||||||
|
+
|
||||||
|
+</reply>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Client-side
|
||||||
|
+<client>
|
||||||
|
+<server>
|
||||||
|
+http
|
||||||
|
+</server>
|
||||||
|
+ <name>
|
||||||
|
+HTTP with auth redirected to HTTP on a diff port --location-trusted
|
||||||
|
+ </name>
|
||||||
|
+ <command>
|
||||||
|
+-x http://%HOSTIP:%HTTPPORT http://firsthost.com --location-trusted -u joe:secret
|
||||||
|
+</command>
|
||||||
|
+</client>
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Verify data after the test has been "shot"
|
||||||
|
+<verify>
|
||||||
|
+<protocol>
|
||||||
|
+GET http://firsthost.com/ HTTP/1.1
|
||||||
|
+Host: firsthost.com
|
||||||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+GET http://firsthost.com:9999/a/path/%TESTNUMBER0002 HTTP/1.1
|
||||||
|
+Host: firsthost.com:9999
|
||||||
|
+Authorization: Basic am9lOnNlY3JldA==
|
||||||
|
+User-Agent: curl/%VERSION
|
||||||
|
+Accept: */*
|
||||||
|
+Proxy-Connection: Keep-Alive
|
||||||
|
+
|
||||||
|
+</protocol>
|
||||||
|
+</verify>
|
||||||
|
+</testcase>
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 443ce415aa60caaf8b1c9b0b71fff8d26263daca Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 25 Apr 2022 17:59:15 +0200
|
||||||
|
Subject: [PATCH 4/4] openssl: don't leak the SRP credentials in redirects
|
||||||
|
either
|
||||||
|
|
||||||
|
Follow-up to 620ea21410030
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Closes #8751
|
||||||
|
|
||||||
|
Upstream-commit: 139a54ed0a172adaaf1a78d6f4fff50b2c3f9e08
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/http.c | 10 +++++-----
|
||||||
|
lib/http.h | 6 ++++++
|
||||||
|
lib/vtls/openssl.c | 3 ++-
|
||||||
|
3 files changed, 13 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/http.c b/lib/http.c
|
||||||
|
index 0791dcf..4433824 100644
|
||||||
|
--- a/lib/http.c
|
||||||
|
+++ b/lib/http.c
|
||||||
|
@@ -776,10 +776,10 @@ output_auth_headers(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * allow_auth_to_host() tells if autentication, cookies or other "sensitive
|
||||||
|
- * data" can (still) be sent to this host.
|
||||||
|
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
|
||||||
|
+ * "sensitive data" can (still) be sent to this host.
|
||||||
|
*/
|
||||||
|
-static bool allow_auth_to_host(struct Curl_easy *data)
|
||||||
|
+bool Curl_allow_auth_to_host(struct Curl_easy *data)
|
||||||
|
{
|
||||||
|
struct connectdata *conn = data->conn;
|
||||||
|
return (!data->state.this_is_a_follow ||
|
||||||
|
@@ -864,7 +864,7 @@ Curl_http_output_auth(struct Curl_easy *data,
|
||||||
|
|
||||||
|
/* To prevent the user+password to get sent to other than the original host
|
||||||
|
due to a location-follow */
|
||||||
|
- if(allow_auth_to_host(data)
|
||||||
|
+ if(Curl_allow_auth_to_host(data)
|
||||||
|
|| conn->bits.netrc)
|
||||||
|
result = output_auth_headers(data, conn, authhost, request, path, FALSE);
|
||||||
|
else
|
||||||
|
@@ -1917,7 +1917,7 @@ CURLcode Curl_add_custom_headers(struct Curl_easy *data,
|
||||||
|
checkprefix("Cookie:", compare)) &&
|
||||||
|
/* be careful of sending this potentially sensitive header to
|
||||||
|
other hosts */
|
||||||
|
- !allow_auth_to_host(data))
|
||||||
|
+ !Curl_allow_auth_to_host(data))
|
||||||
|
;
|
||||||
|
else {
|
||||||
|
#ifdef USE_HYPER
|
||||||
|
diff --git a/lib/http.h b/lib/http.h
|
||||||
|
index 07e963d..9000bae 100644
|
||||||
|
--- a/lib/http.h
|
||||||
|
+++ b/lib/http.h
|
||||||
|
@@ -317,4 +317,10 @@ Curl_http_output_auth(struct Curl_easy *data,
|
||||||
|
bool proxytunnel); /* TRUE if this is the request setting
|
||||||
|
up the proxy tunnel */
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Curl_allow_auth_to_host() tells if authentication, cookies or other
|
||||||
|
+ * "sensitive data" can (still) be sent to this host.
|
||||||
|
+ */
|
||||||
|
+bool Curl_allow_auth_to_host(struct Curl_easy *data);
|
||||||
|
+
|
||||||
|
#endif /* HEADER_CURL_HTTP_H */
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index 1bafe96..97c5666 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -2857,7 +2857,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef USE_OPENSSL_SRP
|
||||||
|
- if(ssl_authtype == CURL_TLSAUTH_SRP) {
|
||||||
|
+ if((ssl_authtype == CURL_TLSAUTH_SRP) &&
|
||||||
|
+ Curl_allow_auth_to_host(data)) {
|
||||||
|
char * const ssl_username = SSL_SET_OPTION(username);
|
||||||
|
|
||||||
|
infof(data, "Using TLS-SRP username: %s\n", ssl_username);
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
461
SOURCES/0014-curl-7.76.1-CVE-2022-27782.patch
Normal file
461
SOURCES/0014-curl-7.76.1-CVE-2022-27782.patch
Normal file
@ -0,0 +1,461 @@
|
|||||||
|
From 50481ac42b4beae6ea85345e37b051124ac00f11 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Fri, 28 Jan 2022 16:48:38 +0100
|
||||||
|
Subject: [PATCH 1/3] setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds
|
||||||
|
|
||||||
|
Closes #8350
|
||||||
|
|
||||||
|
Upstream-commit: 96629ba2c212cda2bd1b7b04e2a9fc01ef70b75d
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/setopt.c | 10 +++++-----
|
||||||
|
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||||
|
index 08827d1..9eaa187 100644
|
||||||
|
--- a/lib/setopt.c
|
||||||
|
+++ b/lib/setopt.c
|
||||||
|
@@ -5,7 +5,7 @@
|
||||||
|
* | (__| |_| | _ <| |___
|
||||||
|
* \___|\___/|_| \_\_____|
|
||||||
|
*
|
||||||
|
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
*
|
||||||
|
* This software is licensed as described in the file COPYING, which
|
||||||
|
* you should have received as part of this distribution. The terms
|
||||||
|
@@ -2699,30 +2699,30 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||||
|
if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||||||
|
data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
break;
|
||||||
|
+#ifndef CURL_DISABLE_PROXY
|
||||||
|
case CURLOPT_PROXY_TLSAUTH_USERNAME:
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
|
||||||
|
va_arg(param, char *));
|
||||||
|
-#ifndef CURL_DISABLE_PROXY
|
||||||
|
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
|
||||||
|
!data->set.proxy_ssl.authtype)
|
||||||
|
data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
-#endif
|
||||||
|
break;
|
||||||
|
+#endif
|
||||||
|
case CURLOPT_TLSAUTH_PASSWORD:
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
|
||||||
|
va_arg(param, char *));
|
||||||
|
if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||||||
|
data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
break;
|
||||||
|
+#ifndef CURL_DISABLE_PROXY
|
||||||
|
case CURLOPT_PROXY_TLSAUTH_PASSWORD:
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
|
||||||
|
va_arg(param, char *));
|
||||||
|
-#ifndef CURL_DISABLE_PROXY
|
||||||
|
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
|
||||||
|
!data->set.proxy_ssl.authtype)
|
||||||
|
data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
-#endif
|
||||||
|
break;
|
||||||
|
+#endif
|
||||||
|
case CURLOPT_TLSAUTH_TYPE:
|
||||||
|
argptr = va_arg(param, char *);
|
||||||
|
if(!argptr ||
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 931fbabcae0b5d1a91657e6bb85f4f23fce7ac3d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 9 May 2022 23:13:53 +0200
|
||||||
|
Subject: [PATCH 2/3] tls: check more TLS details for connection reuse
|
||||||
|
|
||||||
|
CVE-2022-27782
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-27782.html
|
||||||
|
Closes #8825
|
||||||
|
|
||||||
|
Upstream-commit: f18af4f874cecab82a9797e8c7541e0990c7a64c
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/setopt.c | 29 +++++++++++++++++------------
|
||||||
|
lib/url.c | 23 ++++++++++++++++-------
|
||||||
|
lib/urldata.h | 13 +++++++------
|
||||||
|
lib/vtls/openssl.c | 10 +++++-----
|
||||||
|
lib/vtls/vtls.c | 21 +++++++++++++++++++++
|
||||||
|
5 files changed, 66 insertions(+), 30 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||||
|
index 8e1bf12..7aa6fdb 100644
|
||||||
|
--- a/lib/setopt.c
|
||||||
|
+++ b/lib/setopt.c
|
||||||
|
@@ -2268,6 +2268,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||||
|
|
||||||
|
case CURLOPT_SSL_OPTIONS:
|
||||||
|
arg = va_arg(param, long);
|
||||||
|
+ data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
|
||||||
|
data->set.ssl.enable_beast =
|
||||||
|
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
|
||||||
|
data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
||||||
|
@@ -2281,6 +2282,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
case CURLOPT_PROXY_SSL_OPTIONS:
|
||||||
|
arg = va_arg(param, long);
|
||||||
|
+ data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff);
|
||||||
|
data->set.proxy_ssl.enable_beast =
|
||||||
|
(bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE);
|
||||||
|
data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE);
|
||||||
|
@@ -2696,49 +2698,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||||
|
case CURLOPT_TLSAUTH_USERNAME:
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
|
||||||
|
va_arg(param, char *));
|
||||||
|
- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||||||
|
- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
+ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
|
||||||
|
+ !data->set.ssl.primary.authtype)
|
||||||
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
break;
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
case CURLOPT_PROXY_TLSAUTH_USERNAME:
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY],
|
||||||
|
va_arg(param, char *));
|
||||||
|
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
|
||||||
|
- !data->set.proxy_ssl.authtype)
|
||||||
|
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
+ !data->set.proxy_ssl.primary.authtype)
|
||||||
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to
|
||||||
|
+ SRP */
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
case CURLOPT_TLSAUTH_PASSWORD:
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
|
||||||
|
va_arg(param, char *));
|
||||||
|
- if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
|
||||||
|
- data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
+ if(data->set.str[STRING_TLSAUTH_USERNAME] &&
|
||||||
|
+ !data->set.ssl.primary.authtype)
|
||||||
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
|
||||||
|
break;
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
case CURLOPT_PROXY_TLSAUTH_PASSWORD:
|
||||||
|
result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY],
|
||||||
|
va_arg(param, char *));
|
||||||
|
if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] &&
|
||||||
|
- !data->set.proxy_ssl.authtype)
|
||||||
|
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
|
||||||
|
+ !data->set.proxy_ssl.primary.authtype)
|
||||||
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
case CURLOPT_TLSAUTH_TYPE:
|
||||||
|
argptr = va_arg(param, char *);
|
||||||
|
if(!argptr ||
|
||||||
|
strncasecompare(argptr, "SRP", strlen("SRP")))
|
||||||
|
- data->set.ssl.authtype = CURL_TLSAUTH_SRP;
|
||||||
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP;
|
||||||
|
else
|
||||||
|
- data->set.ssl.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
+ data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
break;
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
case CURLOPT_PROXY_TLSAUTH_TYPE:
|
||||||
|
argptr = va_arg(param, char *);
|
||||||
|
if(!argptr ||
|
||||||
|
strncasecompare(argptr, "SRP", strlen("SRP")))
|
||||||
|
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP;
|
||||||
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP;
|
||||||
|
else
|
||||||
|
- data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
+ data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index 94e3406..5ebf5e2 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -540,7 +540,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
|
||||||
|
set->ssl.primary.verifypeer = TRUE;
|
||||||
|
set->ssl.primary.verifyhost = TRUE;
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
- set->ssl.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
+ set->ssl.primary.authtype = CURL_TLSAUTH_NONE;
|
||||||
|
#endif
|
||||||
|
set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
|
||||||
|
type */
|
||||||
|
@@ -1719,11 +1719,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
|
||||||
|
conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus;
|
||||||
|
conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer;
|
||||||
|
conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost;
|
||||||
|
+ conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options;
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+#endif
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
conn->proxy_ssl_config.verifystatus =
|
||||||
|
data->set.proxy_ssl.primary.verifystatus;
|
||||||
|
conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer;
|
||||||
|
conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost;
|
||||||
|
+ conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options;
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+#endif
|
||||||
|
#endif
|
||||||
|
conn->ip_version = data->set.ipver;
|
||||||
|
conn->bits.connect_only = data->set.connect_only;
|
||||||
|
@@ -3764,7 +3770,8 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
data->set.str[STRING_SSL_ISSUERCERT_PROXY];
|
||||||
|
data->set.proxy_ssl.primary.issuercert_blob =
|
||||||
|
data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
|
||||||
|
- data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
|
||||||
|
+ data->set.proxy_ssl.primary.CRLfile =
|
||||||
|
+ data->set.str[STRING_SSL_CRLFILE_PROXY];
|
||||||
|
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
|
||||||
|
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
|
||||||
|
data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
|
||||||
|
@@ -3772,18 +3779,20 @@ static CURLcode create_conn(struct Curl_easy *data,
|
||||||
|
data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
|
||||||
|
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
|
||||||
|
#endif
|
||||||
|
- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
||||||
|
+ data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
|
||||||
|
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
|
||||||
|
data->set.ssl.key = data->set.str[STRING_KEY];
|
||||||
|
data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
|
||||||
|
data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
|
||||||
|
data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
|
||||||
|
#ifdef USE_TLS_SRP
|
||||||
|
- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
|
||||||
|
- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
|
||||||
|
+ data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
|
||||||
|
+ data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
- data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
|
||||||
|
- data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
||||||
|
+ data->set.proxy_ssl.primary.username =
|
||||||
|
+ data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
|
||||||
|
+ data->set.proxy_ssl.primary.password =
|
||||||
|
+ data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
|
||||||
|
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||||
|
index 5218f76..e006495 100644
|
||||||
|
--- a/lib/urldata.h
|
||||||
|
+++ b/lib/urldata.h
|
||||||
|
@@ -253,9 +253,16 @@ struct ssl_primary_config {
|
||||||
|
char *cipher_list; /* list of ciphers to use */
|
||||||
|
char *cipher_list13; /* list of TLS 1.3 cipher suites to use */
|
||||||
|
char *pinned_key;
|
||||||
|
+ char *CRLfile; /* CRL to check certificate revocation */
|
||||||
|
struct curl_blob *cert_blob;
|
||||||
|
struct curl_blob *issuercert_blob;
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+ char *username; /* TLS username (for, e.g., SRP) */
|
||||||
|
+ char *password; /* TLS password (for, e.g., SRP) */
|
||||||
|
+ enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
|
||||||
|
+#endif
|
||||||
|
char *curves; /* list of curves to use */
|
||||||
|
+ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */
|
||||||
|
BIT(verifypeer); /* set TRUE if this is desired */
|
||||||
|
BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */
|
||||||
|
BIT(verifystatus); /* set TRUE if certificate status must be checked */
|
||||||
|
@@ -265,7 +272,6 @@ struct ssl_primary_config {
|
||||||
|
struct ssl_config_data {
|
||||||
|
struct ssl_primary_config primary;
|
||||||
|
long certverifyresult; /* result from the certificate verification */
|
||||||
|
- char *CRLfile; /* CRL to check certificate revocation */
|
||||||
|
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
|
||||||
|
void *fsslctxp; /* parameter for call back */
|
||||||
|
char *cert_type; /* format for certificate (default: PEM)*/
|
||||||
|
@@ -273,11 +279,6 @@ struct ssl_config_data {
|
||||||
|
struct curl_blob *key_blob;
|
||||||
|
char *key_type; /* format for private key (default: PEM) */
|
||||||
|
char *key_passwd; /* plain text private key password */
|
||||||
|
-#ifdef USE_TLS_SRP
|
||||||
|
- char *username; /* TLS username (for, e.g., SRP) */
|
||||||
|
- char *password; /* TLS password (for, e.g., SRP) */
|
||||||
|
- enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */
|
||||||
|
-#endif
|
||||||
|
BIT(certinfo); /* gather lots of certificate info */
|
||||||
|
BIT(falsestart);
|
||||||
|
BIT(enable_beast); /* allow this flaw for interoperability's sake*/
|
||||||
|
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||||
|
index 97c5666..a4ef9d1 100644
|
||||||
|
--- a/lib/vtls/openssl.c
|
||||||
|
+++ b/lib/vtls/openssl.c
|
||||||
|
@@ -2546,7 +2546,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
||||||
|
#endif
|
||||||
|
const long int ssl_version = SSL_CONN_CONFIG(version);
|
||||||
|
#ifdef USE_OPENSSL_SRP
|
||||||
|
- const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
|
||||||
|
+ const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
|
||||||
|
#endif
|
||||||
|
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
|
||||||
|
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
|
||||||
|
@@ -2554,7 +2554,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
||||||
|
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
|
||||||
|
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
|
||||||
|
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
|
||||||
|
- const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
|
||||||
|
+ const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
|
||||||
|
char error_buffer[256];
|
||||||
|
struct ssl_backend_data *backend = connssl->backend;
|
||||||
|
bool imported_native_ca = false;
|
||||||
|
@@ -2859,15 +2859,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data,
|
||||||
|
#ifdef USE_OPENSSL_SRP
|
||||||
|
if((ssl_authtype == CURL_TLSAUTH_SRP) &&
|
||||||
|
Curl_allow_auth_to_host(data)) {
|
||||||
|
- char * const ssl_username = SSL_SET_OPTION(username);
|
||||||
|
-
|
||||||
|
+ char * const ssl_username = SSL_SET_OPTION(primary.username);
|
||||||
|
+ char * const ssl_password = SSL_SET_OPTION(primary.password);
|
||||||
|
infof(data, "Using TLS-SRP username: %s\n", ssl_username);
|
||||||
|
|
||||||
|
if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
|
||||||
|
failf(data, "Unable to set SRP user name");
|
||||||
|
return CURLE_BAD_FUNCTION_ARGUMENT;
|
||||||
|
}
|
||||||
|
- if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) {
|
||||||
|
+ if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
|
||||||
|
failf(data, "failed setting SRP password");
|
||||||
|
return CURLE_BAD_FUNCTION_ARGUMENT;
|
||||||
|
}
|
||||||
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||||
|
index a40ac06..e2d3438 100644
|
||||||
|
--- a/lib/vtls/vtls.c
|
||||||
|
+++ b/lib/vtls/vtls.c
|
||||||
|
@@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||||
|
{
|
||||||
|
if((data->version == needle->version) &&
|
||||||
|
(data->version_max == needle->version_max) &&
|
||||||
|
+ (data->ssl_options == needle->ssl_options) &&
|
||||||
|
(data->verifypeer == needle->verifypeer) &&
|
||||||
|
(data->verifyhost == needle->verifyhost) &&
|
||||||
|
(data->verifystatus == needle->verifystatus) &&
|
||||||
|
@@ -143,9 +144,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||||
|
Curl_safecmp(data->clientcert, needle->clientcert) &&
|
||||||
|
Curl_safecmp(data->random_file, needle->random_file) &&
|
||||||
|
Curl_safecmp(data->egdsocket, needle->egdsocket) &&
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+ Curl_safecmp(data->username, needle->username) &&
|
||||||
|
+ Curl_safecmp(data->password, needle->password) &&
|
||||||
|
+ (data->authtype == needle->authtype) &&
|
||||||
|
+#endif
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
|
||||||
|
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
|
||||||
|
Curl_safe_strcasecompare(data->curves, needle->curves) &&
|
||||||
|
+ Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
|
||||||
|
Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
|
||||||
|
return TRUE;
|
||||||
|
|
||||||
|
@@ -162,6 +169,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
||||||
|
dest->verifyhost = source->verifyhost;
|
||||||
|
dest->verifystatus = source->verifystatus;
|
||||||
|
dest->sessionid = source->sessionid;
|
||||||
|
+ dest->ssl_options = source->ssl_options;
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+ dest->authtype = source->authtype;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
CLONE_BLOB(cert_blob);
|
||||||
|
CLONE_BLOB(issuercert_blob);
|
||||||
|
@@ -175,6 +186,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
||||||
|
CLONE_STRING(cipher_list13);
|
||||||
|
CLONE_STRING(pinned_key);
|
||||||
|
CLONE_STRING(curves);
|
||||||
|
+ CLONE_STRING(CRLfile);
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+ CLONE_STRING(username);
|
||||||
|
+ CLONE_STRING(password);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
@@ -193,6 +209,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
|
||||||
|
Curl_safefree(sslc->cert_blob);
|
||||||
|
Curl_safefree(sslc->issuercert_blob);
|
||||||
|
Curl_safefree(sslc->curves);
|
||||||
|
+ Curl_safefree(sslc->CRLfile);
|
||||||
|
+#ifdef USE_TLS_SRP
|
||||||
|
+ Curl_safefree(sslc->username);
|
||||||
|
+ Curl_safefree(sslc->password);
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef USE_SSL
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
||||||
|
|
||||||
|
From 5e9832048b30492e02dd222cd8bfe997e03cffa1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Mon, 9 May 2022 23:13:53 +0200
|
||||||
|
Subject: [PATCH 3/3] url: check SSH config match on connection reuse
|
||||||
|
|
||||||
|
CVE-2022-27782
|
||||||
|
|
||||||
|
Reported-by: Harry Sintonen
|
||||||
|
Bug: https://curl.se/docs/CVE-2022-27782.html
|
||||||
|
Closes #8825
|
||||||
|
|
||||||
|
Upstream-commit: 1645e9b44505abd5cbaf65da5282c3f33b5924a5
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/url.c | 11 +++++++++++
|
||||||
|
lib/vssh/ssh.h | 6 +++---
|
||||||
|
2 files changed, 14 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index 5ebf5e2..c713e54 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -1073,6 +1073,12 @@ static void prune_dead_connections(struct Curl_easy *data)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+static bool ssh_config_matches(struct connectdata *one,
|
||||||
|
+ struct connectdata *two)
|
||||||
|
+{
|
||||||
|
+ return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) &&
|
||||||
|
+ Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub));
|
||||||
|
+}
|
||||||
|
/*
|
||||||
|
* Given one filled in connection struct (named needle), this function should
|
||||||
|
* detect if there already is one that has all the significant details
|
||||||
|
@@ -1319,6 +1325,11 @@ ConnectionExists(struct Curl_easy *data,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) {
|
||||||
|
+ if(!ssh_config_matches(needle, check))
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if((needle->handler->flags&PROTOPT_SSL)
|
||||||
|
#ifndef CURL_DISABLE_PROXY
|
||||||
|
|| !needle->bits.httpproxy || needle->bits.tunnel_proxy
|
||||||
|
diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
|
||||||
|
index 7972081..30d82e5 100644
|
||||||
|
--- a/lib/vssh/ssh.h
|
||||||
|
+++ b/lib/vssh/ssh.h
|
||||||
|
@@ -7,7 +7,7 @@
|
||||||
|
* | (__| |_| | _ <| |___
|
||||||
|
* \___|\___/|_| \_\_____|
|
||||||
|
*
|
||||||
|
- * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
+ * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
*
|
||||||
|
* This software is licensed as described in the file COPYING, which
|
||||||
|
* you should have received as part of this distribution. The terms
|
||||||
|
@@ -131,8 +131,8 @@ struct ssh_conn {
|
||||||
|
|
||||||
|
/* common */
|
||||||
|
const char *passphrase; /* pass-phrase to use */
|
||||||
|
- char *rsa_pub; /* path name */
|
||||||
|
- char *rsa; /* path name */
|
||||||
|
+ char *rsa_pub; /* strdup'ed public key file */
|
||||||
|
+ char *rsa; /* strdup'ed private key file */
|
||||||
|
bool authed; /* the connection has been authenticated fine */
|
||||||
|
bool acceptfail; /* used by the SFTP_QUOTE (continue if
|
||||||
|
quote command fails) */
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
101
SOURCES/0015-curl-7.76.1-tests-openssh.patch
Normal file
101
SOURCES/0015-curl-7.76.1-tests-openssh.patch
Normal file
@ -0,0 +1,101 @@
|
|||||||
|
From 85a8c0e9992cee271145ecf009f60b9bee9b7a60 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
Date: Wed, 15 Sep 2021 09:59:14 +0200
|
||||||
|
Subject: [PATCH] tests/sshserver.pl: make it work with openssh-8.7p1
|
||||||
|
|
||||||
|
... by not using options with no argument where an argument is required:
|
||||||
|
|
||||||
|
=== Start of file tests/log/ssh_server.log
|
||||||
|
curl_sshd_config line 6: no argument after keyword "DenyGroups"
|
||||||
|
curl_sshd_config line 7: no argument after keyword "AllowGroups"
|
||||||
|
curl_sshd_config line 10: Deprecated option AuthorizedKeysFile2
|
||||||
|
curl_sshd_config line 29: Deprecated option KeyRegenerationInterval
|
||||||
|
curl_sshd_config line 39: Deprecated option RhostsRSAAuthentication
|
||||||
|
curl_sshd_config line 40: Deprecated option RSAAuthentication
|
||||||
|
curl_sshd_config line 41: Deprecated option ServerKeyBits
|
||||||
|
curl_sshd_config line 45: Deprecated option UseLogin
|
||||||
|
curl_sshd_config line 56: no argument after keyword "AcceptEnv"
|
||||||
|
curl_sshd_config: terminating, 3 bad configuration options
|
||||||
|
=== End of file tests/log/ssh_server.log
|
||||||
|
|
||||||
|
=== Start of file log/sftp_server.log
|
||||||
|
curl_sftp_config line 33: Unsupported option "rhostsrsaauthentication"
|
||||||
|
curl_sftp_config line 34: Unsupported option "rsaauthentication"
|
||||||
|
curl_sftp_config line 52: no argument after keyword "sendenv"
|
||||||
|
curl_sftp_config: terminating, 1 bad configuration options
|
||||||
|
Connection closed.
|
||||||
|
Connection closed
|
||||||
|
=== End of file log/sftp_server.log
|
||||||
|
|
||||||
|
Closes #7724
|
||||||
|
|
||||||
|
Upstream-commit: ab78d2c679dfb37b27e89f42ad050c3153fa7513
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
tests/sshserver.pl | 14 --------------
|
||||||
|
1 file changed, 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/sshserver.pl b/tests/sshserver.pl
|
||||||
|
index 9441939..2afaace 100644
|
||||||
|
--- a/tests/sshserver.pl
|
||||||
|
+++ b/tests/sshserver.pl
|
||||||
|
@@ -428,9 +428,7 @@ if ($sshdid =~ /OpenSSH-Windows/) {
|
||||||
|
# ssh daemon configuration file options we might use and version support
|
||||||
|
#
|
||||||
|
# AFSTokenPassing : OpenSSH 1.2.1 and later [1]
|
||||||
|
-# AcceptEnv : OpenSSH 3.9.0 and later
|
||||||
|
# AddressFamily : OpenSSH 4.0.0 and later
|
||||||
|
-# AllowGroups : OpenSSH 1.2.1 and later
|
||||||
|
# AllowTcpForwarding : OpenSSH 2.3.0 and later
|
||||||
|
# AllowUsers : OpenSSH 1.2.1 and later
|
||||||
|
# AuthorizedKeysFile : OpenSSH 2.9.9 and later
|
||||||
|
@@ -441,7 +439,6 @@ if ($sshdid =~ /OpenSSH-Windows/) {
|
||||||
|
# ClientAliveCountMax : OpenSSH 2.9.0 and later
|
||||||
|
# ClientAliveInterval : OpenSSH 2.9.0 and later
|
||||||
|
# Compression : OpenSSH 3.3.0 and later
|
||||||
|
-# DenyGroups : OpenSSH 1.2.1 and later
|
||||||
|
# DenyUsers : OpenSSH 1.2.1 and later
|
||||||
|
# ForceCommand : OpenSSH 4.4.0 and later [3]
|
||||||
|
# GatewayPorts : OpenSSH 2.1.0 and later
|
||||||
|
@@ -534,9 +531,6 @@ if ($sshdid =~ /OpenSSH-Windows/) {
|
||||||
|
push @cfgarr, "AllowUsers $username";
|
||||||
|
}
|
||||||
|
|
||||||
|
-push @cfgarr, 'DenyGroups';
|
||||||
|
-push @cfgarr, 'AllowGroups';
|
||||||
|
-push @cfgarr, '#';
|
||||||
|
push @cfgarr, "AuthorizedKeysFile $clipubkeyf_config";
|
||||||
|
push @cfgarr, "AuthorizedKeysFile2 $clipubkeyf_config";
|
||||||
|
push @cfgarr, "HostKey $hstprvkeyf_config";
|
||||||
|
@@ -684,9 +678,6 @@ push @cfgarr, '#';
|
||||||
|
#***************************************************************************
|
||||||
|
# Options that might be supported or not in sshd OpenSSH 2.9.9 and later
|
||||||
|
#
|
||||||
|
-if(sshd_supports_opt('AcceptEnv','')) {
|
||||||
|
- push @cfgarr, 'AcceptEnv';
|
||||||
|
-}
|
||||||
|
if(sshd_supports_opt('AddressFamily','any')) {
|
||||||
|
# Address family must be specified before ListenAddress
|
||||||
|
splice @cfgarr, 14, 0, 'AddressFamily any';
|
||||||
|
@@ -873,7 +864,6 @@ if ($sshdid =~ /OpenSSH-Windows/) {
|
||||||
|
# RemoteForward : OpenSSH 1.2.1 and later [3]
|
||||||
|
# RhostsRSAAuthentication : OpenSSH 1.2.1 and later
|
||||||
|
# RSAAuthentication : OpenSSH 1.2.1 and later
|
||||||
|
-# SendEnv : OpenSSH 3.9.0 and later
|
||||||
|
# ServerAliveCountMax : OpenSSH 3.8.0 and later
|
||||||
|
# ServerAliveInterval : OpenSSH 3.8.0 and later
|
||||||
|
# SmartcardDevice : OpenSSH 2.9.9 and later [1][3]
|
||||||
|
@@ -1028,10 +1018,6 @@ if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) ||
|
||||||
|
push @cfgarr, 'RekeyLimit 1G';
|
||||||
|
}
|
||||||
|
|
||||||
|
-if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
|
||||||
|
- push @cfgarr, 'SendEnv';
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) ||
|
||||||
|
(($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
|
||||||
|
push @cfgarr, 'ServerAliveCountMax 3';
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.76.1
|
Version: 7.76.1
|
||||||
Release: 14%{?dist}
|
Release: 14%{?dist}.4
|
||||||
License: MIT
|
License: MIT
|
||||||
Source: https://curl.se/download/%{name}-%{version}.tar.xz
|
Source: https://curl.se/download/%{name}-%{version}.tar.xz
|
||||||
|
|
||||||
@ -32,6 +32,21 @@ Patch8: 0008-curl-7.76.1-CVE-2021-22946.patch
|
|||||||
# fix STARTTLS protocol injection via MITM (CVE-2021-22947)
|
# fix STARTTLS protocol injection via MITM (CVE-2021-22947)
|
||||||
Patch9: 0009-curl-7.76.1-CVE-2021-22947.patch
|
Patch9: 0009-curl-7.76.1-CVE-2021-22947.patch
|
||||||
|
|
||||||
|
# fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
|
||||||
|
Patch10: 0010-curl-7.76.1-CVE-2022-22576.patch
|
||||||
|
|
||||||
|
# fix auth/cookie leak on redirect (CVE-2022-27776)
|
||||||
|
Patch12: 0012-curl-7.76.1-CVE-2022-27776.patch
|
||||||
|
|
||||||
|
# fix credential leak on redirect (CVE-2022-27774)
|
||||||
|
Patch13: 0013-curl-7.76.1-CVE-2022-27774.patch
|
||||||
|
|
||||||
|
# fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
|
||||||
|
Patch14: 0014-curl-7.76.1-CVE-2022-27782.patch
|
||||||
|
|
||||||
|
# make upstream tests work with openssh-8.7p1
|
||||||
|
Patch15: 0015-curl-7.76.1-tests-openssh.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
@ -216,6 +231,11 @@ be installed.
|
|||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
|
%patch10 -p1
|
||||||
|
%patch12 -p1
|
||||||
|
%patch13 -p1
|
||||||
|
%patch14 -p1
|
||||||
|
%patch15 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
@ -436,6 +456,20 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
|||||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed May 11 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14.el9_0.4
|
||||||
|
- fix too eager reuse of TLS and SSH connections (CVE-2022-27782)
|
||||||
|
|
||||||
|
* Mon May 02 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14.el9_0.3
|
||||||
|
- fix leak of SRP credentials in redirects (CVE-2022-27774)
|
||||||
|
|
||||||
|
* Fri Apr 29 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14.el9_0.2
|
||||||
|
- add missing tests to Makefile
|
||||||
|
|
||||||
|
* Thu Apr 28 2022 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14.el9_0.1
|
||||||
|
- fix credential leak on redirect (CVE-2022-27774)
|
||||||
|
- fix auth/cookie leak on redirect (CVE-2022-27776)
|
||||||
|
- fix OAUTH2 bearer bypass in connection re-use (CVE-2022-22576)
|
||||||
|
|
||||||
* Tue Oct 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14
|
* Tue Oct 26 2021 Kamil Dudka <kdudka@redhat.com> - 7.76.1-14
|
||||||
- re-disable HSTS in libcurl as an experimental feature (#2005874)
|
- re-disable HSTS in libcurl as an experimental feature (#2005874)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user