Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2021-2457)

The remote host is missing an update for the Huawei EulerOS 'curl' package(s) announced via the EulerOS-SA-2021-2457 advisory.

curl 7.1.1 to and including 7.75.0 is vulnerable to an 'Exposure of Private Personal Information to an Unauthorized Actor' by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.(CVE-2021-22876) A flaw was found in libcurl in the way libcurl handles previously used connections without accounting for 'issuer cert' and comparing the involved paths case-insensitively. This flaw allows libcurl to use the wrong connection. The highest threat from this vulnerability is to confidentiality.(CVE-2021-22924) A has been found in curl. The fix for CVE-2021-22898 doesn't remedy the vulnerability. A flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality.(CVE-2021-22925)

'curl' package(s) on Huawei EulerOS V2.0SP8.

Checks if a vulnerable package version is present on the target host.

Please install the updated package(s).