Chapter 3. Security Fixes
This update includes the following security fixes:
| ID | Impact | Summary |
|---|---|---|
| Moderate | curl: FTP PASV command response can cause curl to connect to arbitrary host [jbcs-httpd-2.4] | |
| Moderate | curl: inferior OCSP verification [jbcs-httpd-2.4] | |
| Moderate | curl: libcurl: partial password leak over DNS on HTTP redirect [jbcs-httpd-2.4] | |
| Moderate | curl: Leak of authentication credentials in URL via automatic Referer [jbcs-httpd-2.4] | |
| Moderate | curl:malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used [jbcs-httpd-2.4] | |
| Low | curl: TLS 1.3 session ticket mix-up with HTTPS proxy host [jbcs-httpd-2.4] | |
| Important | curl: Use-after-free in TLS session handling when using OpenSSL TLS backend [jbcs-httpd-2.4] | |
| Important | httpd: NULL pointer dereference on specially crafted HTTP/2 request [jbcs-httpd-2.4] |