| Summary: | curl new security issues CVE-2017-1000254, CVE-2017-1000257, CVE-2017-8816, CVE-2017-8817 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, marja11, sysadmin-bugs |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK MGA6-32-OK | ||
| Source RPM: | curl-7.56.0-2.mga7.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 19700 | ||
|
Description
David Walser
2017-10-07 17:47:10 CEST
David Walser
2017-10-07 17:48:08 CEST
Whiteboard:
(none) =>
MGA6TOO, MGA5TOO Assigning to the registered curl maintainer. CC:
(none) =>
marja11 Debian has issued an advisory for this on October 6: https://www.debian.org/security/2017/dsa-3992 Upstream has issued an advisory today (October 23): https://curl.haxx.se/docs/adv_20171023.html The issue is fixed upstream in 7.56.1 and a patch is available. Source RPM:
curl-7.55.1-2.mga7.src.rpm =>
curl-7.56.0-2.mga7.src.rpm (In reply to David Walser from comment #3) > Upstream has issued an advisory today (October 23): > https://curl.haxx.se/docs/adv_20171023.html > > The issue is fixed upstream in 7.56.1 and a patch is available. Ubuntu has issued an advisory for this today (October 23): https://usn.ubuntu.com/usn/usn-3457-1/ Upstream has issued advisories on November 29: https://curl.haxx.se/docs/adv_2017-12e7.html https://curl.haxx.se/docs/adv_2017-ae72.html The issues are fixed upstream in 7.57.0 and patches are available. Mageia 5 and Mageia 6 are also affected. Debian has issued an advisory for this on November 29: https://www.debian.org/security/2017/dsa-4051 Summary:
curl new security issues CVE-2017-1000254 and CVE-2017-1000257 =>
curl new security issues CVE-2017-1000254, CVE-2017-1000257, CVE-2017-8816, CVE-2017-8817 curl updated to 7.57.0 in Cauldron on December 1 by me. Whiteboard:
MGA6TOO, MGA5TOO =>
MGA5TOO Advisory: ======================== Updated curl packages fix security vulnerabilities: libcurl contains a buffer overrun flaw in the NTLM authentication code (CVE-2017-8816). libcurl contains a read out of bounds flaw in the FTP wildcard function (CVE-2017-8817). libcurl may read outside of a heap allocated buffer when doing FTP (CVE-2017-1000254). libcurl contains a buffer overrun flaw in the IMAP handler (CVE-2017-1000257). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257 https://curl.haxx.se/docs/adv_20171004.html https://curl.haxx.se/docs/adv_20171023.html https://curl.haxx.se/docs/adv_2017-12e7.html https://curl.haxx.se/docs/adv_2017-ae72.html ======================== Updated packages in core/updates_testing: ======================== curl-7.54.1-2.4.mga6 lib64curl4-7.54.1-2.4.mga6 lib64curl-devel-7.54.1-2.4.mga6 curl-examples-7.54.1-2.4.mga6 from curl-7.54.1-2.4.mga6.src.rpm Assignee:
shlomif =>
qa-bugs Ok on m6 i586 and x86_64. Advisory commited to svn. Validating the update. Whiteboard:
(none) =>
MGA6-64-OK MGA6-32-OK An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0054.html Status:
NEW =>
RESOLVED |