Amazon Linux 2 Security Advisory: ALAS-2021-1653
Advisory Release Date: 2021-06-16 20:37 Pacific
Advisory Updated Date: 2021-06-22 21:42 Pacific
It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected. (CVE-2021-22876)
A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality. (CVE-2021-22898)
Affected Packages:
curl
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update curl to update your system.
aarch64:
curl-7.61.1-12.amzn2.0.4.aarch64
libcurl-7.61.1-12.amzn2.0.4.aarch64
libcurl-devel-7.61.1-12.amzn2.0.4.aarch64
curl-debuginfo-7.61.1-12.amzn2.0.4.aarch64
i686:
curl-7.61.1-12.amzn2.0.4.i686
libcurl-7.61.1-12.amzn2.0.4.i686
libcurl-devel-7.61.1-12.amzn2.0.4.i686
curl-debuginfo-7.61.1-12.amzn2.0.4.i686
src:
curl-7.61.1-12.amzn2.0.4.src
x86_64:
curl-7.61.1-12.amzn2.0.4.x86_64
libcurl-7.61.1-12.amzn2.0.4.x86_64
libcurl-devel-7.61.1-12.amzn2.0.4.x86_64
curl-debuginfo-7.61.1-12.amzn2.0.4.x86_64