| Summary: | curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-543[56], CVE-2019-548[12] | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, marja11, nicolas.salguero, shlomif, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | curl-7.64.1-1.mga7.src.rpm | CVE: | CVE-2019-543[56], CVE-2019-548[12] |
| Status comment: | |||
|
Description
David Walser
2018-10-31 10:54:50 CET
David Walser
2018-10-31 10:55:00 CET
Whiteboard:
(none) =>
MGA6TOO Assigning to the registered maintainer. Assignee:
bugsquad =>
shlomif Debian has issued an advisory for this on November 2: https://www.debian.org/security/2018/dsa-4331 Shlomi updated to 7.62.0 in Cauldron. Whiteboard:
MGA6TOO =>
(none) Fedora says wget's CVE-2018-20483 also affects curl: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AMBI4JRD6CXI7BO7EF3SHBEPARNL4ZBQ/ cURL 7.64.0 has been released on February 6, fixing more security issues: https://curl.haxx.se/changes.html#7_64_0 https://curl.haxx.se/docs/CVE-2018-16890.html https://curl.haxx.se/docs/CVE-2019-3822.html https://curl.haxx.se/docs/CVE-2019-3823.html Shlomi updated it in Cauldron. Summary:
curl new security issues CVE-2018-16839 and CVE-2018-1684[02] =>
curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23] Debian has issued an advisory for this on February 6: https://www.debian.org/security/2019/dsa-4386 cURL 7.65.0 has been released today (May 22), fixing two security issues: https://curl.haxx.se/changes.html#7_65_0 https://curl.haxx.se/docs/CVE-2019-5435.html https://curl.haxx.se/docs/CVE-2019-5436.html CVE-2019-5435 only affects Cauldron, CVE-2019-5436 also affects Mageia 6. Summary:
curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23] =>
curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-5436 Shlomi built 7.65.0 in updates_testing but it never got moved to release. Version:
6 =>
Cauldron Ubuntu advisory for the most recent CVEs, from May 22: https://usn.ubuntu.com/3993-1/ cURL 7.66.0 has been released today (September 11), fixing two security issues: https://curl.haxx.se/changes.html#7_66_0 https://curl.haxx.se/docs/CVE-2019-5481.html https://curl.haxx.se/docs/CVE-2019-5482.html Mageia 6 and Mageia 7 are also affected. Summary:
curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-5436 =>
curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-5436, CVE-2019-548[12] RedHat has issued an advisory for some of these issues on November 5: https://access.redhat.com/errata/RHSA-2019:3701 Assignee:
shlomif =>
pkg-bugs CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23] already fixed in Mageia 7. CC:
(none) =>
nicolas.salguero Suggested advisory: ======================== The updated packages fix security vulnerabilities: An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1. (CVE-2019-5435) A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. (CVE-2019-5436) Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3. (CVE-2019-5481) Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482 https://curl.haxx.se/changes.html#7_65_0 https://curl.haxx.se/docs/CVE-2019-5435.html https://curl.haxx.se/docs/CVE-2019-5436.html https://curl.haxx.se/changes.html#7_66_0 https://curl.haxx.se/docs/CVE-2019-5481.html https://curl.haxx.se/docs/CVE-2019-5482.html https://usn.ubuntu.com/3993-1/ ======================== Updated packages in core/updates_testing: ======================== curl-7.66.0-1.mga7 lib(64)curl4-7.66.0-1.mga7 lib(64)curl-devel-7.66.0-1.mga7 curl-examples-7.66.0-1.mga7 from SRPMS: curl-7.66.0-1.mga7.src.rpm Whiteboard:
MGA7TOO, MGA6TOO =>
(none) MGA7-64 Plasma on Lenovo B50 No installation issues. Found https://www.keycdn.com/support/popular-curl-examples with a series of examples: $ curl https://www.keycdn.com <!DOCTYPE html> <html lang="en" prefix="og: http://ogp.me/ns#"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="version" content="81d039956b90644e963c12544cddac4339380779"> <title>KeyCDN - Content delivery made easy</title> and a lot more $ curl -I https://www.keycdn.com/ HTTP/2 200 server: keycdn-engine date: Mon, 18 Nov 2019 14:08:14 GMT content-type: text/html vary: Accept-Encoding last-modified: Fri, 15 Nov 2019 23:51:32 GMT etag: W/"5dcf3a04-13f5f" expires: Mon, 25 Nov 2019 14:08:14 GMT cache-control: max-age=604800 strict-transport-security: max-age=31536000; includeSubdomains; preload content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer-when-downgrade x-cache: HIT x-edge-location: nlam access-control-allow-origin: * The next commands in the site do not work anymore as the address cdn.keydn.com does not exist anymore. Trying $ curl -o myfile.css https://www.keycdn.com/css/animate.min.css results in a decent looking html file created, but it contents is "Error 404" as the site is changed since then. The same goes for $ curl -O https://cdn.keycdn.com/css/animate.min.css example 5 I couldn't figure out what was added in the loooooong output. $ curl -D - https://www.keycdn.com/ -o /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/2 200 server: keycdn-engine date: Mon, 18 Nov 2019 14:52:34 GMT content-type: text/html vary: Accept-Encoding last-modified: Fri, 15 Nov 2019 23:51:32 GMT etag: W/"5dcf3a04-13f5f" expires: Mon, 25 Nov 2019 14:52:34 GMT cache-control: max-age=604800 strict-transport-security: max-age=31536000; includeSubdomains; preload content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer-when-downgrade x-cache: HIT x-edge-location: nlam access-control-allow-origin: * 100 81759 0 81759 0 0 654k 0 --:--:-- --:--:-- --:--:-- 659k From https://curl.haxx.se/docs/httpscripting.html I try $ curl --trace-ascii d.txt --trace-time http://www.keycdn.com The rsulting file contains a long list with time stamps. and $ curl --user me:mypasswd ftp://<mydesktop>/ list me the contents of the home directory. Seems all well enough. CC:
(none) =>
herman.viaene There's no need to test curl itself as it has an extensive build-time test suite, but we do need to check something that uses libcurl to make sure updating curl didn't break it (as it has sometimes in the past). (In reply to David Walser from comment #15) > There's no need to test curl itself as it has an extensive build-time test > suite, but we do need to check something that uses libcurl to make sure > updating curl didn't break it (as it has sometimes in the past). "urpmq --whatrequires lib64curl4" contains "psensor" on the long list that results. It just so happens that I installed Psensor on my laptop months ago after installing an ssd. I checked Psensor before updating anything, and everything was working as it should as far as I can tell. After shutting Psensor down and using the QA Repo tool to update curl and lib64curl4, I checked again. Nothing was broken that I could see. Validating. Advisory in Comment 13. Keywords:
(none) =>
validated_update
Thomas Backlund
2019-11-30 12:22:41 CET
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0337.html Status:
ASSIGNED =>
RESOLVED |