| Summary: | curl new security issues CVE-2014-3613 and CVE-2014-3620 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | olchal, stormi-mageia, sysadmin-bugs, tarazed25 |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/611591/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK | ||
| Source RPM: | curl-7.34.0-1.2.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-09-10 20:09:30 CEST
David Walser
2014-09-10 20:09:37 CEST
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory (Mageia 3): ======================== Updated curl packages fix security vulnerabilities: In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site (CVE-2014-3613). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3613 http://curl.haxx.se/docs/adv_20140910A.html ======================== Updated packages in core/updates_testing: ======================== curl-7.28.1-6.5.mga3 libcurl4-7.28.1-6.5.mga3 libcurl-devel-7.28.1-6.5.mga3 curl-examples-7.28.1-6.5.mga3 from curl-7.28.1-6.5.mga3.src.rpm Advisory (Mageia 4): ======================== Updated curl packages fix security vulnerabilities: In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site (CVE-2014-3613). In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain (CVE-2014-3620). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3613 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3620 http://curl.haxx.se/docs/adv_20140910A.html http://curl.haxx.se/docs/adv_20140910B.html ======================== Updated packages in core/updates_testing: ======================== curl-7.34.0-1.3.mga4 libcurl4-7.34.0-1.3.mga4 libcurl-devel-7.34.0-1.3.mga4 curl-examples-7.34.0-1.3.mga4 from curl-7.34.0-1.3.mga4.src.rpm Version:
Cauldron =>
4 Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=4307#c11 Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure Debian has issued an advisory for this on September 10: https://www.debian.org/security/2014/dsa-3022 URL:
(none) =>
http://lwn.net/Vulnerabilities/611591/ Oops, forgot to assign to QA. Assignee:
bugsquad =>
qa-bugs Testing complete MGA4 64 following procedure linked in comment #2, just had to change the ftp URLs to another mirror and another RPM. CC:
(none) =>
stormi
Samuel Verschelde
2014-09-16 09:17:16 CEST
Whiteboard:
MGA3TOO has_procedure =>
MGA3TOO has_procedure MGA4-64-OK Testing complete mga3 32 For another mirror and another RPM try these :) curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/ and curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm Whiteboard:
MGA3TOO has_procedure MGA4-64-OK =>
MGA3TOO has_procedure mga3-32-ok MGA4-64-OK Testing complete mga3 64 Whiteboard:
MGA3TOO has_procedure mga3-32-ok MGA4-64-OK =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK curl -L www.mageia.org > test.html The site came up in Firefox with no errors. Hardware:
i586 =>
x86_64 (In reply to Len Lawrence from comment #9) > curl -L www.mageia.org > test.html > > The site came up in Firefox with no errors. Well at least the documentation links worked - others treated as local links.
David Walser
2014-09-19 23:23:32 CEST
Hardware:
x86_64 =>
All Following procedure from Comment2 Testing on MGA3 x86_64 in Virtualbox Everything OK for me as well Testing on MGA4 x86_64 using the same procedure Everything OK except curl imap://login:password@imap.free.fr returns list of folders : * LIST () "/" Trash * LIST () "/" INBOX/sent-mail * LIST () "/" Sent * LIST () "/" INBOX instead of the first message. CC:
(none) =>
olchal Don't change the version assignment on the bugs. Version:
Cauldron =>
4 Testing complete mga4 32 Whiteboard:
MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK Validating. Separate advisories uploaded for mga3 and 4. Could sysadmin please push to 3 & 4 updates Thanks Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0384.html Status:
NEW =>
RESOLVED An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0385.html |