Bug 19123

Summary: curl new security issues CVE-2016-5419, CVE-2016-5420, and CVE-2016-5421
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, herman.viaene, makowski.mageia, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/696214/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: curl-7.40.0-3.3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-08-03 18:47:57 CEST 
Upstream has released version 7.50.1 today (August 3):
https://curl.haxx.se/changes.html

It fixes three security issues and other bugs.

Freeze push requested for Cauldron.  We'll need to add the patches for Mageia 5.
Comment 1 David GEIGER 2016-08-03 20:02:46 CEST 
Done for mga5 adding the three upstream patches.

CC: (none) => geiger.david68210

Comment 2 David Walser 2016-08-03 20:23:06 CEST 
Thanks David!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14468#c4

Advisory:
========================

Updated curl packages fix security vulnerabilities:

libcurl before 7.50.1 would attempt to resume a TLS session even if the client
certificate had changed. That is unacceptable since a server by specification
is allowed to skip the client certificate check on resume, and may instead use
the old identity which was established by the previous certificate (or no
certificate) (CVE-2016-5419).

In libcurl before 7.50.1, when using a client certificate for a connection that
was then put into the connection pool, that connection could then wrongly get
reused in a subsequent request to that same server. This mistakenly using the
wrong connection could lead to applications sending requests to the wrong
realms of the server using authentication that it wasn't supposed to have for
those operations (CVE-2016-5420).

libcurl before 7.50.1 is vulnerable to a use-after-free flaw in
curl_easy_perform() (CVE-2016-5421).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5421
https://curl.haxx.se/docs/adv_20160803A.html
https://curl.haxx.se/docs/adv_20160803B.html
https://curl.haxx.se/docs/adv_20160803C.html
========================

Updated packages in core/updates_testing:
========================
curl-7.40.0-3.4.mga5
libcurl4-7.40.0-3.4.mga5
libcurl-devel-7.40.0-3.4.mga5
curl-examples-7.40.0-3.4.mga5

from curl-7.40.0-3.4.mga5.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2016-08-08 22:00:50 CEST 
Debian has issued an advisory for this on August 3:
https://www.debian.org/security/2016/dsa-3638

URL: (none) => http://lwn.net/Vulnerabilities/696214/

Comment 4 Herman Viaene 2016-08-12 11:44:26 CEST 
MGA5-32 on Acer D620 Xfce
No installation issues
Tested  with procedure as per Comment  above
At CLI:
curl -L https://<my-own-webserver>
returns source
$ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/
returns long list of rpm's
$ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  365k  100  365k    0     0   277k      0  0:00:01  0:00:01 --:--:--  278k

CC: (none) => herman.viaene

Herman Viaene 2016-08-12 11:44:43 CEST

Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 5 Philippe Makowski 2016-08-16 22:09:55 CEST 
MGA5-64 
No installation issues
Tested  with procedure as per Comment  above
At CLI:
curl -L https://<my-own-webserver>
returns source
$ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/
returns long list of rpm's
$ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  365k  100  365k    0     0   277k      0  0:00:01  0:00:01 --:--:--  278k

CC: (none) => makowski.mageia
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Dave Hodgins 2016-08-18 23:54:47 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2016-08-31 17:33:41 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0285.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED