An out-of-bounds read in code handling HTTP/2 trailers was found. This could lead to a denial-of-service or an information disclosure in some circumstances.
Affected versions: libcurl 7.49.0 to and including 7.57.0
Not affected versions: libcurl < 7.49.0 and >= 7.58.0
Upstream bug report:
Name: the Curl project
Upstream: Zhouyihai Ding
The latest version of curl shipped by ceph-2 is 7.29.0-32.el7(~3 years back), however which is not affected by this flaw. Ceph-2 no more ships updated version of curl and consumes latest available releases from RHEL repo.
This bug was essentially introduced by the following commit:
This flaw was introduced in curl-7.49.0. Therefore the versions of curl shipped with Red Hat Enterprise Linux 5, 6 and 7 and Red Hat Ceph Storage 2 are not affected by this flaw.
Created curl tracking bugs for this issue:
Affects: fedora-all [bug 1699816]
Created mingw-curl tracking bugs for this issue:
Affects: fedora-all [bug 1699817]
This issue has been addressed in the following products:
JBoss Core Services Apache HTTP Server 2.4.29 SP2
Via RHSA-2019:1543 https://access.redhat.com/errata/RHSA-2019:1543
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):