curl - multiple vulnerabilities (CVE-2020-8169, CVE-2020-8177, CVE-2020-8231)
CVE-2020-8169:Partial password leak over DNS on HTTP redirect
libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s).
CVE-2020-8177: curl overwrite local file with -J
curl can be tricked by a malicious server to overwrite a local file when using -J (--remote-header-name) and -i (--include) in the same command line.
CVE-2020-8231: libcurl: wrong connect-only connection
An application that performs multiple requests with libcurl's multi API and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection - and instead pick another one the application has created since then.
libcurl 7.29.0 to and including 7.71.1
Upgrade to curl 7.72.0