RHSA-2021:1610: Moderate: curl security and bug fix update
The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTTP, FTP, and LDAP.Security Fix(es): curl: FTP PASV command response can cause curl to connect to arbitrary host (CVE-2020-8284) curl: Malicious FTP server can trigger stack overflow when CURLOPTCHUNKBGNFUNCTION is used (CVE-2020-8285) curl: Inferior OCSP verification (CVE-2020-8286) curl: Expired pointer dereference via multi API with CURLOPTCONNECTONLY option set (CVE-2020-8231) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2021:1610?
The severity of RHSA-2021:1610 is classified as moderate.
How do I fix RHSA-2021:1610?
To fix RHSA-2021:1610, update your curl packages to version 7.61.1-18.el8 or later.
What issue does RHSA-2021:1610 address?
RHSA-2021:1610 addresses a vulnerability where the FTP PASV command response can cause curl to connect to arbitrary hosts.
Which packages are affected by RHSA-2021:1610?
The affected packages for RHSA-2021:1610 include curl, libcurl, and their respective debuginfo and debugsource versions prior to 7.61.1-18.el8.
Is there a need for an immediate update for RHSA-2021:1610?
Yes, it is recommended to apply the update for RHSA-2021:1610 as it mitigates potential risks associated with the vulnerability.