Amazon Linux 1 Security Advisory: ALAS-2021-1509
Advisory Release Date: 2021-07-08 18:38 Pacific
Advisory Updated Date: 2021-07-12 21:48 Pacific
It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected. (CVE-2021-22876)
A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality. (CVE-2021-22898)
Affected Packages:
curl
Issue Correction:
Run yum update curl to update your system.
i686:
curl-debuginfo-7.61.1-12.98.amzn1.i686
libcurl-devel-7.61.1-12.98.amzn1.i686
curl-7.61.1-12.98.amzn1.i686
libcurl-7.61.1-12.98.amzn1.i686
src:
curl-7.61.1-12.98.amzn1.src
x86_64:
curl-debuginfo-7.61.1-12.98.amzn1.x86_64
libcurl-7.61.1-12.98.amzn1.x86_64
libcurl-devel-7.61.1-12.98.amzn1.x86_64
curl-7.61.1-12.98.amzn1.x86_64