ALAS-2021-1509


Amazon Linux AMI Security Advisory: ALAS-2021-1509
Advisory Release Date: 2021-07-08 18:38 Pacific
Advisory Updated Date: 2021-07-12 21:48 Pacific
Severity: Medium

Issue Overview:

It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected. (CVE-2021-22876)

A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality. (CVE-2021-22898)


Affected Packages:

curl


Issue Correction:
Run yum update curl to update your system.

New Packages:
i686:
    curl-debuginfo-7.61.1-12.98.amzn1.i686
    libcurl-devel-7.61.1-12.98.amzn1.i686
    curl-7.61.1-12.98.amzn1.i686
    libcurl-7.61.1-12.98.amzn1.i686

src:
    curl-7.61.1-12.98.amzn1.src

x86_64:
    curl-debuginfo-7.61.1-12.98.amzn1.x86_64
    libcurl-7.61.1-12.98.amzn1.x86_64
    libcurl-devel-7.61.1-12.98.amzn1.x86_64
    curl-7.61.1-12.98.amzn1.x86_64