#17829 closed enhancement (fixed)
curl-8.0.1
| Reported by: | Xi Ruoyao | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New "major" version.
"major" quoted because the major version number seems only bumped as a celebration.
Change History (10)
comment:1 by , 13 months ago
comment:2 by , 13 months ago
curl and libcurl 8.0.0
- Public curl releases: 215
- Command line options: 250
- curl_easy_setopt() options: 302
- Public functions in libcurl: 91
- Contributors: 2841
This release includes the following changes:
- build: remove support for curl_off_t < 8 bytes [19]
This release includes the following bugfixes:
- .cirrus.yml: Bump to FreeBSD 13.2 [9]
- aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3 [112]
- BINDINGS: add Fortran binding [33]
- build: drop the use of XC_AMEND_DISTCLEAN [62]
- build: fix stdint/inttypes detection with non-autotools [120]
- cf-socket: fix handling of remote addr for accepted tcp sockets [17]
- cf-socket: if socket is already connected, return CURLE_OK [69]
- cf-socket: use port 80 when resolving name for local bind [109]
- CI: don't run CI jobs if only another CI was changed [92]
- CI: update ngtcp2 and nghttp2 for pytest [13]
- cmake: delete unused HAVESTRTOI64 [117]
- cmake: fix enabling LDAPS on Windows [55]
- cmake: skip CA-path/bundle auto-detection in cross-builds [57]
- connect: fix time_connect and time_appconnect timer statistics [90]
- cookie: don't load cookies again when flushing [91]
- cookie: parse without sscanf()
- curl.h: require gcc 12.1 for the deprecation magic [110]
- curl: make -w's %{stderr} use the file set with --stderr [30]
- curl_path: create the new path with dynbuf [99]
- CURLOPT_PIPEWAIT: allow waited reuse also for subsequent connections [10]
- CURLOPT_PROXY.3: curl+NSS does not handle HTTPS over unix domain socket [102]
- CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe [103]
- DEPRECATE: the original legacy mingw version 1 [43]
- doc: fix compiler warning in libcurl.m4 [82]
- docs/cmdline-opts: mark all global options [6]
- docs/SECURITY-PROCESS.md: updates [67]
- docs: extend the URL API descriptions [85]
- docs: note '--data-urlencode' option [7]
- DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure [70]
- easy: remove infof() debug leftover from curl_easy_recv [44]
- examples/http3.c: use CURL_HTTP_VERSION_3 [46]
- ftp: active mode with SSL, add the filter [84]
- ftp: add more conditions for connection reuse [74]
- ftp: allocate the wildcard struct on demand [59]
- ftp: make the EPSV response parser not use sscanf [25]
- ftp: replace sscanf for MDTM 213 response parsing [23]
- ftp: replace sscanf for PASV parsing [24]
- gssapi: align
gss_OID_descto silence ld warnings on macOS ventura [58] - headers: make curl_easy_header and nextheader return different buffers [77]
- hostip: avoid sscanf and extra buffer copies [42]
- http2: fix error handling during parallel operations [96]
- http2: fix for http2-prior-knowledge when reusing connections [14]
- http2: fix handling of RST and GOAWAY to recognize partial transfers [88]
- http2: fix upload busy loop [71]
- http: don't send 100-continue for short PUT requests [93]
- http: fix unix domain socket use in https connects [28]
- http: rewrite the status line parser without sscanf [29]
- http_proxy: parse the status line without sscanf [16]
- idn: return error if the conversion ends up with a blank host [45]
- krb5: avoid sscanf for parsing [18]
- lib1560: test parsing URLs with ridiculously large fields [60]
- lib2305: deal with CURLE_AGAIN [122]
- lib517: verify time stamps without leading zeroes plus some more
- lib: silence clang/gcc -Wvla warnings in brotli headers [98]
- lib: skip Curl_llist_destroy calls [108]
- libcurl-errors.3: add the CURLHcode errors from curl_easy_header.3 [39]
- libssh2: only set the memory callbacks when debugging [65]
- libssh2: remove unused variable from libssh2's struct [124]
- libssh: use dynbuf instead of realloc [121]
- Makefile.mk: delete redundant
HAVE_LDAP_SSLmacro [56] - Makefile.mk: fix -g option in debug mode [81]
- mqtt: on send error, return error [40]
- multi: make multi_perform ignore/unignore signals less often [116]
- multi: remove PENDING + MSGSENT handles from the main linked list [105]
- ngtcp2-gnutls.yml: bump to gnutls 3.8.0 [11]
- ngtcp2: fix unwanted close of file descriptor 0 [26]
- page-footer: add explanation for three missing exit codes [37]
- parsedate: parse strings without using sscanf() [2]
- parsedate: replace sscanf( for time stamp parsing [1]
- quic/schannel: fix compiler warnings [36]
- rand: use arc4random as fallback when available [48]
- rate.d: single URLs make no sense in --rate example [38]
- RELEASE-PROCEDURE.md: update coming release dates
- rtsp: avoid sscanf for parsing [15]
- runtests: use a hash table for server port numbers [51]
- sectransp: fix compiler warning c89 mixed code/declaration [32]
- sectransp: make read_cert() use a dynbuf when loading [72]
- secure-transport: fix recv return code handling [114]
- select: stop treating POLLRDBAND as an error [27]
- setopt: move the CURLOPT_CHUNK_DATA pointer to the set struct [35]
- socket: detect "dead" connections better, e.g. not fit for reuse [66]
- src: silence wmain() warning for all build methods [95]
- telnet: only accept option arguments in ascii [104]
- telnet: parse NEW_ENVIRON without sscanf [20]
- telnet: parse telnet options without sscanf [22]
- telnet: parse the WS= argument without sscanf [21]
- test1470: test socks proxy using unix sockets and connect to https [63]
- test1960: verify CURL_SOCKOPT_ALREADY_CONNECTED [64]
- test2600: detect when ALARM_TIMEOUT is in use and adjust [34]
- test422: verify --next used without a prior URL [115]
- tests/http: add pytest to GHA and improve tests [118]
- tests: add
cookiesfeatures [68] - tests: add timeout, SLOWDOWN and DELAY keywords to tests
- tests: fix gnutls-serv check [53]
- tests: fix MSVC unreachable code warnings in unit tests
- tests: hack to build most unit tests under cmake [94]
- tests: HTTP server fixups [3]
- tests: keep cmake unit tests names in sync
- tests: make CPPFLAGS common to all unit tests
- tests: make first.c the same for both lib tests and unit tests [75]
- tests: support for imaps/pop3s/smtps protocols [50]
- tests: sync option lists in runtests.pl & its man page
- tests: test secure mail protocols with explicit SSL requests [49]
- tests: use AM_CPPFILES to modify flags in unit tests
- tests: use dynamic ports numbers in pytest suite [89]
- tool: dump headers even if file is write-only [52]
- tool: improve --stderr handling [83]
- tool_getparam: don't add a new node for just --no-remote-name [5]
- tool_getparam: error if --next is used without a prior URL [119]
- tool_operate: avoid fclose(NULL) on bad header dump file [12]
- tool_operate: propagate error codes for missing URL after --next [4]
- tool_progress: shut off progress meter for --silent in parallel [8]
- tool_writeout_json. fix the output for duplicate header names [76]
- transfer: limit Windows SO_SNDBUF updates to once a second [73]
- url: fix cookielist memleak when curl_easy_reset [106]
- url: fix logic in connection reuse to deny reuse on "unclean" connections [86]
- url: fix the SSH connection reuse check [101]
- url: only reuse connections with same GSS delegation [97]
- url: remove dummy protocol handler [100]
- urlapi: '%' is illegal in host names [80]
- urlapi: avoid mutating internals in getter routine [79]
- urlapi: parse IPv6 literals without ENABLE_IPV6 [61]
- urlapi: take const args in _dup and _get functions [78]
- wildcard: remove files and move functions into ftplistparser.c
- winbuild: fix makefile clean [31]
- wolfssl: add quic/ngtcp2 detection in cmake, and fix builds [113]
- wolfSSL: ressurect the BIO
io_result[54] - ws: keep the socket non-blocking [41]
- x509asn1.c: use correct format specifier for infof() call [47]
- x509asn1: use plain %x, not %lx, when the arg is an int [87]
This release includes the following known bugs:
- see docs/KNOWN_BUGS (https://curl.se/docs/knownbugs.html)
Planned upcoming removals include:
- gskit
- NSS
- support for space-separated NOPROXY patterns
- support for the original legacy mingw version 1
comment:4 by , 13 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:5 by , 13 months ago
| Priority: | normal → elevated |
|---|
comment:7 by , 13 months ago
8.0.1:
This release includes the following bugfixes:
- Revert "multi: remove PENDING + MSGSENT handles"
comment:8 by , 13 months ago
CVE-2023-27538
CVE-2023-27538: SSH connection too eager reuse still
Project curl Security Advisory, March 20th 2023
VULNERABILITY
libcurl would reuse a previously created connection even when an SSH related option had
been changed that should have prohibited reuse.
libcurl keeps previously used connections in a connection pool for subsequent transfers
to reuse if one of them matches the setup. However, two SSH settings were left out from
the configuration match checks, making them match too easily.
We are not aware of any exploit of this flaw.
INFO
These are the options that were not considered in the check, so curl would reuse a
connection even if the subsequent transfer would have changed one or more of these
options.
CURLOPT_SSH_PUBLIC_KEYFILE
CURLOPT_SSH_PRIVATE_KEYFILE
This flaw was initially introduced in curl 7.16.1.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2023-27538 to this issue.
This vulnerability is partially identical to CVE-2022-27782 since the fix for that
previous issue was bad and did not actually correct the problem for these SSH options.
CWE-305: Authentication Bypass by Primary Weakness
The previos flaw CVE-2022-27782 was set to severity Medium, but since this is a partial
of that and affects only two options that rarely will change with the expectation that
the user will be different, this time we set it severity Low.
Severity: Low
AFFECTED VERSIONS
Affected versions: curl 7.16.1 to and including 7.88.1
Not affected versions: curl < 7.16.1 and curl >= 8.0.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
The fix for CVE-2023-27538
RECOMMENDATIONS
A - Upgrade curl to version 8.0.0
B - Apply the patch to your local version
C - Avoid SCP and SFTP transfers
TIMELINE
This issue was reported to the curl project on March 9 2023. We contacted
distros@openwall on March 13, 2023.
curl 8.0.0 was released on March 20 2023, coordinated with the publication of this
advisory.
CVE-2023-23757
CVE-2023-27537: HSTS double-free
Project curl Security Advisory, March 20th 2023
VULNERABILITY
libcurl supports sharing HSTS data between separate "handles". This sharing was
introduced without considerations for do this sharing across separate threads but there
was no indication of this fact in the documentation.
Due to missing mutexes or thread locks, two threads sharing the same HSTS data could
end up doing a double-free or use-after-free.
We are not aware of any exploit of this flaw.
INFO
This feature was not implemented to support sharing between threads. That is still left
for future improvements. The fix for this issue is therefore a documentation update
clarifying that sharing HSTS between threads is not expected to work.
CVE-2023-27537 was introduced in commit 076a2f629119222a, shipped in curl 7.88.0.
CWE-415: Double Free
Severity: Low
Severity is set to Low because
Not widely used functionality
The timing necessary to trigger this has to match fairly exact
Exploitation this for anything but denial of service is difficult
AFFECTED VERSIONS
Affected versions: curl 7.88.0 to and including 7.88.1
Not affected versions: curl < 7.88.0 and curl >= 8.0.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
A fix for CVE-2023-27537
RECOMMENDATIONS
A - Do not share HSTS data between threads
TIMELINE
This issue was reported to the curl project on March 8 2023. We contacted
distros@openwall on March 13, 2023.
curl 8.0.0 was released on March 20 2023, coordinated with the publication of this
advisory.
CVE-2023-27536
CVE-2023-27536: GSS delegation too eager connection re-use
Project curl Security Advisory, March 20th 2023
VULNERABILITY
libcurl would reuse a previously created connection even when the GSS delegation
(CURLOPT_GSSAPI_DELEGATION) option had been changed that could have changed the user's
permissions in a second transfer.
libcurl keeps previously used connections in a connection pool for subsequent transfers
to reuse if one of them matches the setup. However, this GSS delegation setting was
left out from the configuration match checks, making them match too easily, affecting
krb5/kerberos/negotiate/GSSAPI transfers.
We are not aware of any exploit of this flaw.
INFO
CVE-2023-27536 was introduced in commit ebf42c4be76df4, shipped in curl 7.22.0.
CWE-305: Authentication Bypass by Primary Weakness
Severity: Low
AFFECTED VERSIONS
Affected versions: curl 7.22.0 to and including 7.88.1
Not affected versions: curl < 7.22.0 and curl >= 8.0.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
A fix for CVE-2023-27536
RECOMMENDATIONS
A - Upgrade curl to version 8.0.0
B - Apply the patch to your local version
C - Do not use the CURLOPT_GSSAPI_DELEGATION option
TIMELINE
This issue was reported to the curl project on March 7, 2023. We contacted
distros@openwall on March 13, 2023.
curl 8.0.0 was released on March 20 2023, coordinated with the publication of this
advisory.
CVE-2023-27535
CVE-2023-27535: FTP too eager connection reuse
Project curl Security Advisory, March 20th 2023
VULNERABILITY
libcurl would reuse a previously created FTP connection even when one or more options
had been changed that could have made the effective user a very different one, thus
leading to the doing the second transfer with wrong credentials.
libcurl keeps previously used connections in a connection pool for subsequent transfers
to reuse if one of them matches the setup. However, several FTP settings were left out
from the configuration match checks, making them match too easily. The settings in
questions are CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC
and CURLOPT_USE_SSL level.
We are not aware of any exploit of this flaw.
INFO
CVE-2023-27535 was introduced in commit 177dbc7be07125582, shipped in curl 7.13.0.
CWE-305: Authentication Bypass by Primary Weakness
Severity: Medium
AFFECTED VERSIONS
Affected versions: curl 7.13.0 to and including 7.88.1
Not affected versions: curl < 7.13.0 and curl >= 8.0.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
A fix for CVE-2023-27535
RECOMMENDATIONS
A - Upgrade curl to version 8.0.0
B - Apply the patch to your local version
TIMELINE
This issue was reported to the curl project on March 5, 2023. We contacted
distros@openwall on March 13, 2023.
curl 8.0.0 was released on March 20 2023, coordinated with the publication of this
advisory.
CVE-2023-27534
CVE-2023-27534: SFTP path ~ resolving discrepancy
Project curl Security Advisory, March 20th 2023
VULNERABILITY
curl supports SFTP transfers. curl's SFTP implementation offers a special feature in
the path component of URLs: a tilde (~) character as the first path element in the path
to denotes a path relative to the user's home directory. This is supported because of
wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs
work.
Due to a bug, the handling of the tilde in SFTP path did however not only replace it
when it is used stand-alone as the first path element but also wrongly when used as a
mere prefix in the first element.
Using a path like /~2/foo when accessing a server using the user dan (with home
directory /home/dan) would then quite surprisingly access the file /home/dan2/foo.
This can be taken advantage of to circumvent filtering or worse.
We are not aware of any exploit of this flaw.
INFO
CVE-2023-27534 was introduced in commit ba6f20a244, shipped in curl 7.18.0.
CWE-22: Improper Limitation of a Pathname to a Restricted Directory
Severity: Low
AFFECTED VERSIONS
Affected versions: curl 7.18.0 to and including 7.88.1
Not affected versions: curl < 7.18.0 and curl >= 8.0.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
A fix for CVE-2023-27534
RECOMMENDATIONS
A - Upgrade curl to version 8.0.0
B - Apply the patch to your local version
C - Avoid using tilde in SFTP URL paths.
TIMELINE
This issue was reported to the curl project on March 5, 2023. We contacted
distros@openwall on March 13, 2023.
curl 8.0.0 was released on March 20 2023, coordinated with the publication of this
advisory.
CVE-2023-27533
CVE-2023-27533: TELNET option IAC injection
Project curl Security Advisory, March 20th 2023
VULNERABILITY
curl supports communicating using the TELNET protocol and as a part of this it offers
users to pass on user name and "telnet options" for the server negotiation.
Due to lack of proper input scrubbing and without it being the documented
functionality, curl would pass on user name and telnet options to the server as
provided. This could allow users to pass in carefully crafted content that pass on
content or do option negotiation without the application intending to do so. In
particular if an application for example allows users to provide the data or parts of
the data.
We are not aware of any exploit of this flaw.
INFO
CVE-2023-27533 was introduced in commit a1d6ad26100bc493c7, shipped in curl 7.7.
CWE-75: Failure to Sanitize Special Elements into a Different Plane
Severity: Low
AFFECTED VERSIONS
Affected versions: curl 7.7 to and including 7.88.1
Not affected versions: curl < 7.7 and curl >= 8.0.0
libcurl is used by many applications, but not always advertised as such!
THE SOLUTION
Only accept ASCII user name and telnet options.
A fix for CVE-2023-27533
RECOMMENDATIONS
A - Upgrade curl to version 8.0.0
B - Apply the patch to your local version
C - Do your own TELNET user name or option input filtering
TIMELINE
This issue was reported to the curl project on March 3, 2023. We contacted
distros@openwall on March 13, 2023.
curl 8.0.0 was released on March 20 2023, coordinated with the publication of this
advisory.
comment:9 by , 13 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 1f0e7ec432bb9b31a1ae6286fa6f54fece9507b0
Issued SA-11.3-007
Note:
See TracTickets
for help on using tickets.
With gssapi and libssh2 enabled: