Amazon Linux 2023: CVE-2023-23914: Medium priority package update for curl

Amazon Linux 2023: CVE-2023-23914: Medium priority package update for curl

Severity

6

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Published

02/15/2023

Created

02/14/2025

Added

02/14/2025

Modified

02/14/2025

Description

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on. A flaw was found in the Curl package, where the HSTS mechanism would be ignored by subsequent transfers when done on the same command line because the state would not be properly carried. This issue may result in limited confidentiality and integrity.

Solution(s)

• amazon-linux-2023-upgrade-curl
• amazon-linux-2023-upgrade-curl-debuginfo
• amazon-linux-2023-upgrade-curl-debugsource
• amazon-linux-2023-upgrade-curl-minimal
• amazon-linux-2023-upgrade-curl-minimal-debuginfo
• amazon-linux-2023-upgrade-libcurl
• amazon-linux-2023-upgrade-libcurl-debuginfo
• amazon-linux-2023-upgrade-libcurl-devel
• amazon-linux-2023-upgrade-libcurl-minimal
• amazon-linux-2023-upgrade-libcurl-minimal-debuginfo

References

• https://attackerkb.com/topics/cve-2023-23914
• CVE - 2023-23914
• https://alas.aws.amazon.com/AL2023/ALAS-2023-114.html