Debian Bug report logs -
#1026830
curl: CVE-2022-43552: HTTP Proxy deny use-after-free
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 21 Dec 2022 20:33:06 UTC
Severity: important
Tags: security, upstream
Found in versions curl/7.74.0-1.3, curl/7.86.0-2
Fixed in version curl/7.86.0-3
Done: Sergio Durigan Junior <sergiodj@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Alessandro Ghedini <ghedo@debian.org>:
Bug#1026830; Package src:curl.
(Wed, 21 Dec 2022 20:33:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Alessandro Ghedini <ghedo@debian.org>.
(Wed, 21 Dec 2022 20:33:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: curl
Version: 7.86.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 7.74.0-1.3
Hi,
The following vulnerability was published for curl.
CVE-2022-43552[0]:
| HTTP Proxy deny use-after-free
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-43552
https://www.cve.org/CVERecord?id=CVE-2022-43552
[1] https://curl.se/docs/CVE-2022-43552.html
Regards,
Salvatore
Marked as found in versions curl/7.74.0-1.3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 21 Dec 2022 20:33:09 GMT) (full text, mbox, link).
Reply sent
to Sergio Durigan Junior <sergiodj@debian.org>:
You have taken responsibility.
(Wed, 21 Dec 2022 21:54:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 21 Dec 2022 21:54:12 GMT) (full text, mbox, link).
Message #12 received at 1026830-close@bugs.debian.org (full text, mbox, reply):
Source: curl
Source-Version: 7.86.0-3
Done: Sergio Durigan Junior <sergiodj@debian.org>
We believe that the bug you reported is fixed in the latest version of
curl, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1026830@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergio Durigan Junior <sergiodj@debian.org> (supplier of updated curl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 21 Dec 2022 15:55:18 -0500
Source: curl
Architecture: source
Version: 7.86.0-3
Distribution: unstable
Urgency: medium
Maintainer: Alessandro Ghedini <ghedo@debian.org>
Changed-By: Sergio Durigan Junior <sergiodj@debian.org>
Closes: 1026829 1026830
Changes:
curl (7.86.0-3) unstable; urgency=medium
.
* Fix two HSTS-related CVEs.
- d/p/CVE-2022-43551-another-hsts-bypass-via-idn.patch: use the IDN
decoded name in HSTS checks.
(Closes: #1026829, CVE-2022-43551)
- d/p/CVE-2022-43552-http-proxy-deny-use-after-free.patch: do not free
smb's/telnet's protocol struct in *_done().
(Closes: #1026830, CVE-2022-43552)
Checksums-Sha1:
05f0961a9715c55c229ef61e3987a368f79bae76 2984 curl_7.86.0-3.dsc
1d1606131b7457c50a84f869efd357ada13284ac 41656 curl_7.86.0-3.debian.tar.xz
6bf113b5b0b83aa5da28bcc94285b340dd6a1ce0 12826 curl_7.86.0-3_amd64.buildinfo
Checksums-Sha256:
0d827d32b5a11cfc755fac6df75641ac2a6236ceec4e1ada1086b8505835d58e 2984 curl_7.86.0-3.dsc
466e1fcf4fa5726ef86ee254c8725e11837395ebb9c41ee13fa4cea15b77956f 41656 curl_7.86.0-3.debian.tar.xz
5cd8d28cdd6798ed67caee5c80732cbd5befb84682b0af4817f69bfeffb84873 12826 curl_7.86.0-3_amd64.buildinfo
Files:
1e7d4bd4084636525d7a2b8706b56833 2984 web optional curl_7.86.0-3.dsc
d803d3feaee509f9ad57979488c5ca9a 41656 web optional curl_7.86.0-3.debian.tar.xz
fc56bcf4ae7e335fdf0eccfe562d7dd5 12826 web optional curl_7.86.0-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEI3pUsQKHKL8A7zH00Ot2KGX8XjYFAmOjeioUHHNlcmdpb2Rq
QGRlYmlhbi5vcmcACgkQ0Ot2KGX8XjazcxAAgCSsR7wCWZg+tCx2gzQTMejrlinv
eVxXvVzTAdHvf5YauNL+qYSY5quo3E8yDsYn3mDr5PCE1ge6xDk7idR+ziq/WOQQ
vR1tFsLCNbmB324+UVGe77tAcE4ECSlScVX+P0b9vUFeSRgrexXv5NVGGce9AE+U
Pfdly1yJugLC3bveqy3agMCcOMLKH9UZyErUXHMML/+aESNbFlPkUMPRzk5K9PW0
v2bZRmvlmlX4beAJI9YzY7DNPPPUiDmy5FvvmckfP7tn1yb6yPJ/J+w2N8f97738
4RoeUPVqX1JfC1m1lkwdoYMLM5gd+1PYCIjKbzUlZsnL9B5VXPi+vYcWXzpJNCSn
fiHXAAjMgR6deAi/v88sd8TB1hhrBn4GoEXSilSpInEBhoYFfMUuKCO4Ku4MBljg
wpjBhrdCQ02T7IYU1iBZ8TQu23gb7/aj9r8i722AYBnmNEcYFmytuXAi36z1Cg2y
k8TLG6BLvNE6DXXrg4rnTZTsWWZgWWaIW+UeLmsjYAzWzjPXbZChp7lhZ2u8B4vg
K4UeeduPTs0HB6rXUZD4Et15SFVQrCRHfqJXNey8cyRTHpNnHvGSv63hrBMbAiH0
AuXz5Y4h77aPAKe1cGTNv6PF2k5QuOm7gc3FPNwbJpgF3sO3uE53Arp7qD2o0VWQ
6oWyZqFRBKErPss=
=Bkbs
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Dec 22 16:35:51 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon