The number of acceptable "links" in the "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.
Created curl tracking bugs for this issue: Affects: fedora-all [bug 2101648] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 2101649]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6157 https://access.redhat.com/errata/RHSA-2022:6157
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6159 https://access.redhat.com/errata/RHSA-2022:6159
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2022:8840 https://access.redhat.com/errata/RHSA-2022:8840
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2022:8841 https://access.redhat.com/errata/RHSA-2022:8841
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-32206
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:3460 https://access.redhat.com/errata/RHSA-2023:3460