漏洞描述
Haxx curl是瑞典Haxx公司的一套利用URL语法在命令行下工作的文件传输工具,该工具支持文件上传和下载,并包含一个用于程序开发的libcurl(客户端URL传输库)。
Haxx curl 7.34.0至7.50.3版本中存在远程安全绕过漏洞。攻击者可利用该漏洞绕过安全限制,执行未授权操作。
解决方法
以下是各Linux/Unix发行版系统针对此漏洞发布的安全公告,可以参考对应系统的安全公告修复该漏洞:
Ubuntu
----------------
USN-3123-1: [USN-3123-1] curl vulnerabilities
链接: https://www.ubuntu.com/usn/usn-3123-1
Red Hat Enterprise Linux
----------------
链接: https://access.redhat.com/security/cve/CVE-2016-8620
Gentoo
----------------
GLSA-201701-47: cURL: Multiple vulnerabilities
链接: https://security.gentoo.org/glsa/201701-47
FreeBSD
----------------
765feb7d-a0d1-11e6-a881-b499baebfeaf: cURL -- multiple vulnerabilities
链接: http://vuxml.freebsd.org/freebsd/765feb7d-a0d1-11e6-a881-b499baebfeaf.html
Slackware
----------------
SSA:2016-308-01: [slackware-security] curl (SSA:2016-308-01)
链接: http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.661139
openSUSE
----------------
openSUSE-SU-2016:2768-1: openSUSE Security Update: Security update for curl
链接: https://lists.opensuse.org/opensuse-security-announce/2016-11/msg00020.html
SUSE
----------------
链接: https://www.suse.com/security/cve/CVE-2016-8620/
Fedora
----------------
FEDORA-2016-89769648a0: Fedora 25 Update: curl-7.51.0-1.fc25
链接: https://lists.fedoraproject.org/archives/list/[email protected]/thread/4JYTXIUQEYYWVLG2WJOE6FOVWRSPOQBM/
FEDORA-2016-e8e8cdb4ed: Fedora 24 Update: curl-7.47.1-9.fc24
链接: https://lists.fedoraproject.org/archives/list/[email protected]/thread/S35RRQRUQKGWNDB4PRIQM7ZAHJXEDFCQ/
Arch Linux
----------------
ASA-201611-7: [arch-security] [ASA-201611-7] curl: multiple issues
链接: https://security.archlinux.org/ASA-201611-7
Debian
----------------
DSA-3705: DSA-3705-1 curl -- security update
链接: https://www.debian.org/security/2016/dsa-3705