π ~4 min read β’ Source: ELSA advisory ELSA-2019-3701
Related CVEs: CVE-2019-3822 CVE-2019-3823 CVE-2018-20483 CVE-2018-16890
Table of contents
Symptom & Impact
On Oracle Linux 8 hosts running curl, administrators report behaviour consistent with ELSA advisory ELSA-2019-3701: unexpected service restarts, denied transactions, audit warnings, or, for security-rated advisories, exposure to the vulnerabilities tracked under the related CVEs. Operators see failed systemctl status output, abnormal entries in journalctl -xe, and β where the package is part of the serving path β degraded availability. On Oracle Linux 8, impact ranges from a single service restart loop to wider production incidents depending on host role and the criticality of curl.
Environment & Reproduction
Reproduction targets Oracle Linux 8 running either the Red Hat Compatible Kernel or the Unbreakable Enterprise Kernel. Confirm release with cat /etc/oracle-release and kernel with uname -r. Trigger the workflow that exposes curl β security and stability fixes β required update while collecting journalctl -b, dnf history, and rpm -qa output for correlation against ELSA advisory ELSA-2019-3701.
Root Cause Analysis
Root cause is documented in ELSA advisory ELSA-2019-3701. Upstream maintainers shipped fixes in the corresponding curl update; running an outdated build leaves the host exposed and may trigger the failure modes described in the advisory. Correlate journalctl --since timestamps with dnf history and ausearch -m AVC entries to isolate the originating change. On Oracle Linux 8, modular streams, UEK kernel variants, and OEL-specific errata can each shift the package set used by the failure path.
Quick Triage
Quick triage: run systemctl status curl, journalctl -u curl -n 200, firewall-cmd --list-all, getenforce, dnf check, and rpm -Va. If SELinux is enforcing, capture ausearch -m AVC -ts recent to surface denials linked to curl β security and stability fixes β required update.
Step-by-Step Diagnosis
1) Confirm the symptom with systemctl --failed. 2) Inspect logs: journalctl -xe and journalctl -u curl. 3) Validate firewall: firewall-cmd --list-all-zones. 4) Check SELinux denials: ausearch -m AVC,USER_AVC -ts today. 5) Verify package integrity: dnf check and rpm -V curl. 6) Correlate findings with dnf history, /var/log/dnf.log and ELSA advisory ELSA-2019-3701 to pin the change that introduced curl β security and stability fixes β required update.
Solution – Primary Fix
Primary fix for curl β security and stability fixes β required update: apply the corrective dnf transaction described in ELSA advisory ELSA-2019-3701, reload the affected systemd unit, and reconcile firewalld and SELinux state. Typical commands: sudo dnf -y update curl, sudo systemctl daemon-reload, sudo systemctl restart curl, rpm -q curl. Validate immediately with systemctl is-active curl.
Need help applying this fix at scale? Our IT Solutions & Services team rolls Oracle Linux patches across estates with zero-downtime change windows. Get in touch for a free consultation.
Solution – Alternative Approaches
Alternatives include rolling back the offending transaction with sudo dnf history undo <id>, pinning the package via dnf versionlock, switching the firewall backend between nftables and iptables in /etc/firewalld/firewalld.conf, or temporarily setting SELinux permissive (setenforce 0) to confirm policy is the cause before authoring a custom module with audit2allow. For Oracle Linux specifically, Ksplice live patching may close the gap without reboot when the advisory has Ksplice coverage.
Verification & Acceptance Criteria
Acceptance: rpm -q curl shows the expected fixed version, systemctl is-active curl returns active, journalctl -u curl --since "5 minutes ago" shows no errors, firewall-cmd --list-services includes the required services, getenforce reports the intended mode, and the original reproduction steps for curl β security and stability fixes β required update no longer trigger the failure across two consecutive runs.
Rollback Plan
Capture state with dnf history list and rpm -qa > /root/rpm-pre.txt before any change. To revert, run sudo dnf history undo <id>, restore /etc backups, and reload systemctl daemon-reload. For SELinux modules, remove with sudo semodule -r <module>. Reboot if the kernel or initramfs was changed and re-verify symptoms.
Prevention & Hardening
Prevent recurrence with dnf-automatic security updates, needs-restarting -r checks, immutable systemd drop-ins under /etc/systemd/system/<unit>.d/, version-locked firewalld zones, and audit rules in /etc/audit/rules.d/. Apply CIS Oracle Linux 8 hardening, subscribe to the Oracle Linux errata mailing list, and monitor file integrity with aide --check. Where supported, enable Oracle Ksplice so future advisories like this can be remediated live without reboot.
Related Errors & Cross-Refs
Related issues that commonly surface alongside curl β security and stability fixes β required update: dnf transaction lock contention, systemd unit ordering cycles, SELinux AVC bursts, firewalld zone drift, and kernel taint flags shown by cat /proc/sys/kernel/tainted. See sibling common-problem articles in this Oracle Linux 8 series for adjacent failure modes.
View all oracle-linux-8 tutorials on the Tutorials Hub β
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: ELSA advisory ELSA-2019-3701. Supporting docs: Oracle Linux 8 Administrators Guide, Red Hat Enterprise Linux documentation (upstream), man dnf, man systemctl, man firewall-cmd, man semanage, man journalctl, the Oracle Linux yum server changelog, and the Oracle Ksplice known-fixes feed. Review /usr/share/doc/ package documentation for the components implicated in curl β security and stability fixes β required update.
