Bug 17629

Summary: curl new security issue CVE-2016-0755
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: dan, davidwhodgins, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/673777/
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK advisory
Source RPM: curl-7.40.0-3.1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-01-27 15:26:11 CET 
Upstream has issued an advisory today (January 27):
http://curl.haxx.se/docs/adv_20160127A.html

Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated curl packages fix security vulnerabilities:

libcurl before 7.47.0 will reuse NTLM-authenticated proxy connections without
properly making sure that the connection was authenticated with the same
credentials as set for this transfer. The effect of this flaw is that the
application could be reusing a proxy connection using the previously used
credentials and thus it could be given to or prevented access from resources
that it wasn't intended to (CVE-2016-0755).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755
http://curl.haxx.se/docs/adv_20160127A.html
========================

Updated packages in core/updates_testing:
========================
curl-7.40.0-3.3.mga5
libcurl4-7.40.0-3.3.mga5
libcurl-devel-7.40.0-3.3.mga5
curl-examples-7.40.0-3.3.mga5

from curl-7.40.0-3.3.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-01-27 15:26:24 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14468#c4

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-01-27 15:38:02 CET 
Test 46 in the test suite failed on i586:
http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20160127141751.luigiwalser.valstar.4075/log/curl-7.40.0-3.3.mga5/build.0.20160127141805.log

Dan, is this a problem, or should I just disable that test?

CC: (none) => dan
Whiteboard: has_procedure => has_procedure feedback

Comment 3 Dan Fandrich 2016-01-27 21:03:06 CET 
It's suspicious. It's not a known flaky test, and the latest autobuilds on the latest source don't have a problem with that test. I'm able to reproduce it; I'll take a look.
Comment 4 Dan Fandrich 2016-01-27 22:33:46 CET 
The problem turned out to be a cookie used in test 46 that expired last year. I've added a patch and re-submitted the package.
Comment 5 David Walser 2016-01-27 22:50:33 CET 
Thanks Dan!  We've run into a similar issue before, I think it might have been an expired TLS certificate in one of the tests.

Whiteboard: has_procedure feedback => has_procedure

Comment 6 David Walser 2016-01-27 22:59:45 CET 
Debian has issued an advisory for this today (January 27):
https://www.debian.org/security/2016/dsa-3455

URL: (none) => http://lwn.net/Vulnerabilities/673777/

Comment 7 Len Lawrence 2016-01-29 20:55:51 CET 
mga5  x86_64  Mate

Tried out bug #4307:comment #11 tests before updating.
The imap and pop3 commands hung - not quite sure what to expect anyway - .eml files?

$ curl -L http://apod.nasa.gov
$ curl -L http://www.erikveen.dds.nl/rubycodesnippets/index.html
$ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm

These all worked as expected.
And after the update they also work.

Had a look at the test suite but did not feel up to compiling it but would have a go if it is judged necessary.
Ready to OK this for 64-bits.

CC: (none) => tarazed25

Comment 8 David Walser 2016-01-29 20:57:21 CET 
Yeah this one doesn't need much testing since it has an extraordinarily extensive test suite that's run at build time, so we already know it works.
Len Lawrence 2016-01-29 22:31:35 CET

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 9 Len Lawrence 2016-01-29 22:40:41 CET 
Just to rubber-stamp it ran this in a 32-bit vbox.
Executed the website and download tests after the update and all is well.
Len Lawrence 2016-01-29 22:41:10 CET

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Len Lawrence 2016-01-29 22:41:26 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Len Lawrence 2016-01-29 22:42:49 CET 
Would some kind person from sysadmin please push this to Updates.
Dave Hodgins 2016-02-03 02:56:03 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory

Comment 11 Mageia Robot 2016-02-05 18:27:54 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0050.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED