-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2021-1d24845e93 2021-11-03 01:10:35.195931 --------------------------------------------------------------------------------
Name : curl Product : Fedora 35 Version : 7.79.1 Release : 1.fc35 URL : https://curl.se/ Summary : A utility for getting files from remote servers (FTP, HTTP, and others) Description : curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a busload of other useful tricks.
-------------------------------------------------------------------------------- Update Information:
- update to latest upstream bugfix release ---- new upstream release, which fixes the following vulnerabilities: * CVE-2021-22947 - STARTTLS protocol injection via MITM * CVE-2021-22946 - protocol downgrade required TLS bypassed * CVE-2021-22945 - use-after-free and double-free in MQTT sending -------------------------------------------------------------------------------- ChangeLog:
* Wed Sep 22 2021 Kamil Dudka kdudka@redhat.com - 7.79.1-1 - new upstream release * Thu Sep 16 2021 Kamil Dudka kdudka@redhat.com - 7.79.0-4 - fix regression in http2 implementation introduced in the last release * Thu Sep 16 2021 Sahana Prasad sahana@redhat.com - 7.79.0-3 - Rebuilt with OpenSSL 3.0.0 * Thu Sep 16 2021 Kamil Dudka kdudka@redhat.com - 7.79.0-2 - make SCP/SFTP tests work with openssh-8.7p1 * Wed Sep 15 2021 Kamil Dudka kdudka@redhat.com - 7.79.0-1 - new upstream release, which fixes the following vulnerabilities CVE-2021-22947 - STARTTLS protocol injection via MITM CVE-2021-22946 - protocol downgrade required TLS bypassed CVE-2021-22945 - use-after-free and double-free in MQTT sending * Tue Sep 14 2021 Sahana Prasad sahana@redhat.com - 7.78.0-4 - Rebuilt with OpenSSL 3.0.0 -------------------------------------------------------------------------------- References:
[ 1 ] Bug #2004362 - CVE-2021-22945 curl: use-after-free and double-free in MQTT sending [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2004362 [ 2 ] Bug #2004363 - CVE-2021-22947 curl: STARTTLS protocol injection via MITM [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2004363 [ 3 ] Bug #2004374 - curl-7.79.0 is available https://bugzilla.redhat.com/show_bug.cgi?id=2004374 [ 4 ] Bug #2004927 - CVE-2021-22946 curl: protocol downgrade required TLS bypassed [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2004927 [ 5 ] Bug #2006653 - curl-7.79.1 is available https://bugzilla.redhat.com/show_bug.cgi?id=2006653 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2021-1d24845e93' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------