This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though `co.uk` is listed as a PSL domain.
This is public now: https://daniel.haxx.se/blog/2023/12/06/curl-8-5-0/ https://seclists.org/oss-sec/2023/q4/261
Created curl tracking bugs for this issue: Affects: fedora-all [bug 2253142]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:0434 https://access.redhat.com/errata/RHSA-2024:0434
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:0452 https://access.redhat.com/errata/RHSA-2024:0452
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0428 https://access.redhat.com/errata/RHSA-2024:0428
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:0585 https://access.redhat.com/errata/RHSA-2024:0585
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:1129 https://access.redhat.com/errata/RHSA-2024:1129
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2024:1317 https://access.redhat.com/errata/RHSA-2024:1317
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2024:1316 https://access.redhat.com/errata/RHSA-2024:1316
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1601 https://access.redhat.com/errata/RHSA-2024:1601