SECURITY: Fedora 35 Update: curl-7.79.1-1.fc35
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2021-1d24845e93
2021-11-03 01:10:35.195931
--------------------------------------------------------------------------------
Name : curl
Product : Fedora 35
Version : 7.79.1
Release : 1.fc35
URL : https://curl.se/
Summary : A utility for getting files from remote servers (FTP, HTTP, and others)
Description :
curl is a command line tool for transferring data with URL syntax, supporting
FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP
uploading, HTTP form based upload, proxies, cookies, user+password
authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer
resume, proxy tunneling and a busload of other useful tricks.
--------------------------------------------------------------------------------
Update Information:
- update to latest upstream bugfix release ---- new upstream release, which
fixes the following vulnerabilities: * CVE-2021-22947 - STARTTLS protocol
injection via MITM * CVE-2021-22946 - protocol downgrade required TLS bypassed *
CVE-2021-22945 - use-after-free and double-free in MQTT sending
--------------------------------------------------------------------------------
ChangeLog:
* Wed Sep 22 2021 Kamil Dudka - 7.79.1-1
- new upstream release
* Thu Sep 16 2021 Kamil Dudka - 7.79.0-4
- fix regression in http2 implementation introduced in the last release
* Thu Sep 16 2021 Sahana Prasad - 7.79.0-3
- Rebuilt with OpenSSL 3.0.0
* Thu Sep 16 2021 Kamil Dudka - 7.79.0-2
- make SCP/SFTP tests work with openssh-8.7p1
* Wed Sep 15 2021 Kamil Dudka - 7.79.0-1
- new upstream release, which fixes the following vulnerabilities
CVE-2021-22947 - STARTTLS protocol injection via MITM
CVE-2021-22946 - protocol downgrade required TLS bypassed
CVE-2021-22945 - use-after-free and double-free in MQTT sending
* Tue Sep 14 2021 Sahana Prasad - 7.78.0-4
- Rebuilt with OpenSSL 3.0.0
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #2004362 - CVE-2021-22945 curl: use-after-free and double-free in MQTT sending [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2004362
[ 2 ] Bug #2004363 - CVE-2021-22947 curl: STARTTLS protocol injection via MITM [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2004363
[ 3 ] Bug #2004374 - curl-7.79.0 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2004374
[ 4 ] Bug #2004927 - CVE-2021-22946 curl: protocol downgrade required TLS bypassed [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2004927
[ 5 ] Bug #2006653 - curl-7.79.1 is available
https://bugzilla.redhat.com/show_bug.cgi?id=2006653
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-1d24845e93' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
A curl security update has been released for Fedora 35.