curl - multiple vulnerabilities (CVE-2020-8169, CVE-2020-8177, CVE-2020-8231)
CVE-2020-8169:Partial password leak over DNS on HTTP redirect
libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s).
References
https://curl.haxx.se/docs/CVE-2020-8169.html
CVE-2020-8177: curl overwrite local file with -J
curl can be tricked by a malicious server to overwrite a local file when using -J (--remote-header-name) and -i (--include) in the same command line.
References
https://curl.haxx.se/docs/CVE-2020-8177.html
CVE-2020-8231: libcurl: wrong connect-only connection
An application that performs multiple requests with libcurl's multi API and sets the CURLOPT_CONNECT_ONLY option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection - and instead pick another one the application has created since then.
References
https://curl.haxx.se/docs/CVE-2020-8231.html
Affected versions
libcurl 7.29.0 to and including 7.71.1
Recommendation
Upgrade to curl 7.72.0
Affected branches:
-
master -
3.12-stable -
3.11-stable -
3.10-stable -
3.9-stable