GNU bug report logs

#47563 curl is vulnerable to CVE-2021-22890 and CVE-2021-22876

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 14:04:45 +0000
From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 02 10:04:45 2021
Received: from localhost ([127.0.0.1]:60793 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1lSKPk-00065q-PS
	for submit@debbugs.gnu.org; Fri, 02 Apr 2021 10:04:45 -0400
Received: from lists.gnu.org ([209.51.188.17]:35248)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@zaclys.net>) id 1lSKPi-00065i-Ij
 for submit@debbugs.gnu.org; Fri, 02 Apr 2021 10:04:43 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:56542)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lSKPi-00031e-EK
 for bug-guix@gnu.org; Fri, 02 Apr 2021 10:04:42 -0400
Received: from mail.zaclys.net ([178.33.93.72]:39769)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <lle-bout@zaclys.net>)
 id 1lSKPg-0001Hk-0k
 for bug-guix@gnu.org; Fri, 02 Apr 2021 10:04:42 -0400
Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net
 [78.195.19.20] (may be forged)) (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132E4Zkg037813
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <bug-guix@gnu.org>; Fri, 2 Apr 2021 16:04:36 +0200
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132E4Zkg037813
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@zaclys.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1617372276;
 bh=wZ+tkaesp+8zpA8DIG5w4c+Rx0qmVIjtylJWYTtu5xI=;
 h=Subject:From:To:Date:From;
 b=F8y12PCB3mz+mhQPIKB5fBmzetjxCx2C88lxlBTOfbQQDzD72srqy/7yhQ7pmYOWD
 kA6g/qfGxgQLNfyPvAIBFpOk34cn39fy/ogazcdwZYFGORMVh9lMCtTcuX4Tkb7W+e
 TzJ5EyYgdmwPNHZmc7ztgirxUU29wccrtt3z346Q=
Message-ID: <3f93f64c692d9e0604aa406a735d81084443b692.camel@zaclys.net>
Subject: curl is vulnerable to CVE-2021-22890 and CVE-2021-22876
From: Léo Le Bouter <lle-bout@zaclys.net>
To: bug-guix@gnu.org
Date: Fri, 02 Apr 2021 16:04:31 +0200
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-mOK1+BCSGvsyQnPFj8Cj"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net;
 helo=mail.zaclys.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.4 (+)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  CVE-2021-22890 01.04.21 20:15 curl 7.63.0 to and including
 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM
 a connection due to bad handling of TLS 1.3 session tickets. When u [...]
 Content analysis details:   (1.4 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 1.0 SPF_SOFTFAIL           SPF: sender does not match SPF record (softfail)
 0.0 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
 [209.51.188.17 listed in wl.mailspike.net]
 -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,
 medium trust [209.51.188.17 listed in list.dnswl.org]
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
 2.7 MAY_BE_FORGED          Relay IP's reverse DNS does not resolve to IP
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

[Message part 1 (text/plain, inline)]
CVE-2021-22890	01.04.21 20:15
curl 7.63.0 to and including 7.75.0 includes vulnerability that allows
a malicious HTTPS proxy to MITM a connection due to bad handling of TLS
1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can
confuse session tickets arriving from the HTTPS proxy but work as if
they arrived from the remote server and then wrongly "short-cut" the
host handshake. When confusing the tickets, a HTTPS proxy can trick
libcurl to use the wrong session ticket resume for the host and thereby
circumvent the server TLS certificate check and make a MITM attack to
be possible to perform unnoticed. Note that such a malicious HTTPS
proxy needs to provide a certificate that curl will accept for the
MITMed server for an attack to work - unless curl has been told to
ignore the server certificate check.

CVE-2021-22876	01.04.21 20:15
curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of
Private Personal Information to an Unauthorized Actor" by leaking
credentials in the HTTP Referer: header. libcurl does not strip off
user credentials from the URL when automatically populating the
Referer: HTTP request header field in outgoing HTTP requests, and
therefore risks leaking sensitive data to the server that is the target
of the second HTTP request.

A WIP patch will follow, please help finishing it (rebase curl-CVE-
2021-22890.patch on 7.74.0).

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sat Dec 21 18:36:46 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.