Security update for curl SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:14760-1 Final 1 1 2021-06-30T15:15:05Z current 2021-06-30T15:15:05Z 2021-06-30T15:15:05Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl fixes the following issues: - CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). secsp3-curl-14760,sleposp3-curl-14760,slessp4-curl-14760 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-202114760-1/ Link for SUSE-SU-2021:14760-1 https://lists.suse.com/pipermail/sle-security-updates/2021-June/009106.html E-Mail link for SUSE-SU-2021:14760-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1186114 SUSE Bug 1186114 https://www.suse.com/security/cve/CVE-2021-22898/ SUSE CVE CVE-2021-22898 page SUSE Linux Enterprise Point of Sale 11 SP3 SUSE Linux Enterprise Server 11 SP4-LTSS SUSE Linux Enterprise Server 11-SECURITY curl-openssl1-7.37.0-70.66.1 libcurl4-openssl1-7.37.0-70.66.1 libcurl4-openssl1-32bit-7.37.0-70.66.1 libcurl4-openssl1-x86-7.37.0-70.66.1 curl-7.37.0-70.66.1 libcurl-devel-7.37.0-70.66.1 libcurl4-7.37.0-70.66.1 libcurl4-32bit-7.37.0-70.66.1 curl-7.37.0-70.66.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 libcurl-devel-7.37.0-70.66.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 libcurl4-7.37.0-70.66.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 curl-7.37.0-70.66.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS libcurl4-7.37.0-70.66.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS libcurl4-32bit-7.37.0-70.66.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS curl-openssl1-7.37.0-70.66.1 as a component of SUSE Linux Enterprise Server 11-SECURITY libcurl4-openssl1-7.37.0-70.66.1 as a component of SUSE Linux Enterprise Server 11-SECURITY libcurl4-openssl1-32bit-7.37.0-70.66.1 as a component of SUSE Linux Enterprise Server 11-SECURITY libcurl4-openssl1-x86-7.37.0-70.66.1 as a component of SUSE Linux Enterprise Server 11-SECURITY curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol. CVE-2021-22898 SUSE Linux Enterprise Point of Sale 11 SP3:curl-7.37.0-70.66.1 SUSE Linux Enterprise Point of Sale 11 SP3:libcurl-devel-7.37.0-70.66.1 SUSE Linux Enterprise Point of Sale 11 SP3:libcurl4-7.37.0-70.66.1 SUSE Linux Enterprise Server 11 SP4-LTSS:curl-7.37.0-70.66.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libcurl4-32bit-7.37.0-70.66.1 SUSE Linux Enterprise Server 11 SP4-LTSS:libcurl4-7.37.0-70.66.1 SUSE Linux Enterprise Server 11-SECURITY:curl-openssl1-7.37.0-70.66.1 SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-32bit-7.37.0-70.66.1 SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-7.37.0-70.66.1 SUSE Linux Enterprise Server 11-SECURITY:libcurl4-openssl1-x86-7.37.0-70.66.1 moderate 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114760-1/ https://www.suse.com/security/cve/CVE-2021-22898.html CVE-2021-22898 https://bugzilla.suse.com/1186114 SUSE Bug 1186114 https://bugzilla.suse.com/1192450 SUSE Bug 1192450