curl: Multiple vulnerabilities (CVE-2020-8284, CVE-2020-8285, CVE-2020-8286)
CVE-2020-8284: trusting FTP PASV responses
When curl performs a passive FTP transfer, it first tries the EPSV command and if that is not supported, it falls back to using PASV. Passive mode is what curl uses by default. A server response to a PASV command includes the (IPv4) address and port number for the client to connect back to in order to perform the actual data transfer.
Affected versions: curl 4.0 to and including 7.73.0
Not affected versions: curl >= 7.74.0
Reference:
https://curl.se/docs/CVE-2020-8284.html
CVE-2020-8285: FTP wildcard stack overflow
libcurl offers a wildcard matching functionality, which allows a callback (set with CURLOPT_CHUNK_BGN_FUNCTION) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries.
Affected versions: libcurl 7.21.0 to and including 7.73.0
Not affected versions: libcurl < 7.21.0 and libcurl >= 7.74.0
Reference:
https://curl.se/docs/CVE-2020-8285.html
CVE-2020-8286: Inferior OCSP verification
libcurl offers "OCSP stapling" via the CURLOPT_SSL_VERIFYSTATUS option. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with --cert-status using the curl tool.
Affected versions: libcurl 7.41.0 to and including 7.73.0
Not affected versions: libcurl < 7.41.0 and libcurl >= 7.74.0
Reference:
https://curl.se/docs/CVE-2020-8286.html