Bug 1217573 (CVE-2023-46218) - VUL-0: CVE-2023-46218: curl: cookie mixed case PSL bypass
Summary: VUL-0: CVE-2023-46218: curl: cookie mixed case PSL bypass
Status: RESOLVED FIXED
Alias: CVE-2023-46218
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/386279/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-46218:4.2:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-28 08:22 UTC by Thomas Leroy
Modified: 2024-04-15 15:09 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Thomas Leroy 2023-11-29 14:55:25 UTC
Affected:

SUSE:SLE-15-SP2:Update
SUSE:SLE-15-SP4:Update
SUSE:SLE-15:Update
SUSE:SLE-12-SP4:Update
SUSE:SLE-12-SP5:Update
SUSE:ALP:Source:Standard:1.0
Comment 5 Otto Hollmann 2023-11-29 15:06:29 UTC
Submitted:

> Codestream              | Version | Request
> ------------------------+---------+-------------
> SUSE_SLE-15-SP4_Update  | 8.0.1   | 314009
> SUSE_SLE-15-SP2_Update  | 7.66.0  | 314010
> SUSE_SLE-15_Update      | 7.60.0  | 314011
> SUSE_SLE-12-SP5_Update  | 8.0.1   | 314012
> SUSE:SLE-12-SP4:Update  | 7.60.0  | out of support
> SUSE_SLE-12_Update      | 7.37.0  | not affected

Codestreams: SUSE_SLE-15-SP6:GA, SUSE:ALP:Source:Standard:1.0, openSUSE:Factory are also affected and will be fixed after CRD.
Comment 8 Marcus Meissner 2023-12-06 09:27:36 UTC
public

        CVE-2023-46218: https://curl.se/docs/CVE-2023-46218.html                                                                                             
        OSS:2023/Q4/261: https://seclists.org/oss-sec/2023/q4/261
Comment 9 Maintenance Automation 2023-12-06 16:30:42 UTC
SUSE-SU-2023:4659-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1217573, 1217574
CVE References: CVE-2023-46218, CVE-2023-46219
Sources used:
openSUSE Leap 15.4 (src): curl-8.0.1-150400.5.36.1
openSUSE Leap Micro 5.3 (src): curl-8.0.1-150400.5.36.1
openSUSE Leap Micro 5.4 (src): curl-8.0.1-150400.5.36.1
openSUSE Leap 15.5 (src): curl-8.0.1-150400.5.36.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): curl-8.0.1-150400.5.36.1
SUSE Linux Enterprise Micro 5.3 (src): curl-8.0.1-150400.5.36.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): curl-8.0.1-150400.5.36.1
SUSE Linux Enterprise Micro 5.4 (src): curl-8.0.1-150400.5.36.1
SUSE Linux Enterprise Micro 5.5 (src): curl-8.0.1-150400.5.36.1
Basesystem Module 15-SP4 (src): curl-8.0.1-150400.5.36.1
Basesystem Module 15-SP5 (src): curl-8.0.1-150400.5.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-12-06 16:30:49 UTC
SUSE-SU-2023:4653-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1217573, 1217574
CVE References: CVE-2023-46218, CVE-2023-46219
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): curl-8.0.1-11.80.1
SUSE Linux Enterprise Server 12 SP5 (src): curl-8.0.1-11.80.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): curl-8.0.1-11.80.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): curl-8.0.1-11.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-12-06 16:30:55 UTC
SUSE-SU-2023:4650-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1215889, 1217573
CVE References: CVE-2023-38546, CVE-2023-46218
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): curl-7.60.0-150000.56.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): curl-7.60.0-150000.56.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): curl-7.60.0-150000.56.1
SUSE CaaS Platform 4.0 (src): curl-7.60.0-150000.56.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Otto Hollmann 2023-12-07 09:49:47 UTC
Submitted version upgrades:
ALP
> https://build.suse.de/request/show/314850

openSUSE:Factory
> https://build.opensuse.org/request/show/1131466

Thre is no codestream for SLE15-SP6, it's inherited from 15-SP4
Everything is submitted, assigning back to security team
Comment 14 Maintenance Automation 2023-12-11 20:36:13 UTC
SUSE-SU-2023:4713-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1217573
CVE References: CVE-2023-46218
Sources used:
SUSE Linux Enterprise Micro 5.2 (src): curl-7.66.0-150200.4.63.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): curl-7.66.0-150200.4.63.1
SUSE Linux Enterprise Micro 5.1 (src): curl-7.66.0-150200.4.63.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Marcus Meissner 2024-04-15 15:09:22 UTC
released