Bug 2003175 (CVE-2021-22946)
Summary: | CVE-2021-22946 curl: Requirement to use TLS not properly enforced for IMAP, POP3, and FTP protocols | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | 18238481715, amctagga, andrew.slice, anharris, bdettelb, bniver, bodavis, caswilli, csutherl, dbhole, fjansen, flucifre, gkamathe, gmeno, gzaronik, hhorak, hvyas, jclere, jnakfour, jorton, jreznik, jwong, jwon, kanderso, kaycoth, kdudka, krathod, kyoshida, luhliari, lvaleeva, mbenjamin, mhackett, msekleta, mthacker, mturk, omajid, paul, pjindal, psegedy, rwagner, security-response-team, sostapov, svashisht, szappis, vereddy, vkumar, vmugicag |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | curl 7.79.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in curl. This flaw lies in the --ssl-reqd option or related settings in libcurl. Users specify this flag to upgrade to TLS when communicating with either IMAP, POP3 or a FTP server. An attacker controlling such servers could return a crafted response which could lead to curl client continue its operation without TLS encryption leading to data being transmitted in clear text over the network. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-02 14:08:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2003661, 2003662, 2003663, 2003664, 2003665, 2003725, 2003726, 2003727, 2003728, 2004649, 2004927, 2038281, 2044195 | ||
Bug Blocks: | 2001529 |
Description
Marian Rehak
2021-09-10 14:11:33 UTC
Created curl tracking bugs for this issue: Affects: fedora-all [bug 2004927] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4059 https://access.redhat.com/errata/RHSA-2021:4059 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22946 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0635 https://access.redhat.com/errata/RHSA-2022:0635 This issue has been addressed in the following products: .NET Core on Red Hat Enterprise Linux Via RHSA-2022:1354 https://access.redhat.com/errata/RHSA-2022:1354 |