Vulmon
Amazon Linux 2 Security Advisory: ALAS-2022-1792
Advisory Release Date: 2022-05-04 01:01 Pacific
Advisory Updated Date: 2022-05-05 14:02 Pacific
A vulnerability was found in curl. This security flaw allows reusing OAUTH2-authenticated connections without properly ensuring that the connection was authenticated with the same credentials set for this transfer. This issue leads to an authentication bypass, either by mistake or by a malicious actor. (CVE-2022-22576)
A vulnerability was found in curl. This security flaw allows leaking credentials to other servers when it follows redirects from auth-protected HTTP(S) URLs to other protocols and port numbers. (CVE-2022-27774)
A vulnerability was found in curl. This security flaw occurs due to errors in the logic where the config matching function did not take the IPv6 address zone id into account. This issue can lead to curl reusing the wrong connection when one transfer uses a zone id, and the subsequent transfer uses another. (CVE-2022-27775)
A vulnerability was found in curl. This security flaw allows leak authentication or cookie header data on HTTP redirects to the same host but another port number. Sending the same set of headers to a server on a different port number is a problem for applications that pass on custom `Authorization:` or `Cookie:`headers. Those headers often contain privacy-sensitive information or data. (CVE-2022-27776)
Affected Packages:
curl
Issue Correction:
Run yum update curl to update your system.
aarch64:
curl-7.79.1-2.amzn2.0.1.aarch64
libcurl-7.79.1-2.amzn2.0.1.aarch64
libcurl-devel-7.79.1-2.amzn2.0.1.aarch64
curl-debuginfo-7.79.1-2.amzn2.0.1.aarch64
i686:
curl-7.79.1-2.amzn2.0.1.i686
libcurl-7.79.1-2.amzn2.0.1.i686
libcurl-devel-7.79.1-2.amzn2.0.1.i686
curl-debuginfo-7.79.1-2.amzn2.0.1.i686
src:
curl-7.79.1-2.amzn2.0.1.src
x86_64:
curl-7.79.1-2.amzn2.0.1.x86_64
libcurl-7.79.1-2.amzn2.0.1.x86_64
libcurl-devel-7.79.1-2.amzn2.0.1.x86_64
curl-debuginfo-7.79.1-2.amzn2.0.1.x86_64