| Summary: | curl new security issues CVE-2021-22876 and CVE-2021-22890 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA7-64-OK MGA8-64-OK | ||
| Source RPM: | curl-7.74.0-1.mga8.src.rpm | CVE: | CVE-2021-22876, CVE-2021-22890 |
| Status comment: | |||
|
Description
Nicolas Salguero
2021-03-31 08:56:46 CEST
Nicolas Salguero
2021-03-31 08:58:17 CEST
CVE:
(none) =>
CVE-2021-22876, CVE-2021-22890 curl 7.76.0 is now in Cauldron. Whiteboard:
MGA8TOO, MGA7TOO =>
MGA7TOO Suggested advisory: ======================== The updated packages fix security vulnerabilities: libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. (CVE-2021-22876) TLS 1.3 session ticket proxy host mixup. (CVE-2021-22890) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22876 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22890 https://curl.se/changes.html ======================== Updated packages in 7/core/updates_testing: ======================== curl-7.71.0-1.2.mga7 lib(64)curl4-7.71.0-1.2.mga7 lib(64)curl-devel-7.71.0-1.2.mga7 curl-examples-7.71.0-1.2.mga7 from SRPM: curl-7.71.0-1.2.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== curl-7.74.0-1.1.mga8 lib(64)curl4-7.74.0-1.1.mga8 lib(64)curl-devel-7.74.0-1.1.mga8 curl-examples-7.74.0-1.1.mga8 from SRPM: curl-7.74.0-1.1.mga8.src.rpm Status:
NEW =>
ASSIGNED Oops ! Suggested advisory: ======================== The updated packages fix security vulnerabilities: libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. (CVE-2021-22876) TLS 1.3 session ticket proxy host mixup. (CVE-2021-22890) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22876 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22890 https://curl.se/docs/CVE-2021-22876.html https://curl.se/docs/CVE-2021-22890.html https://curl.se/changes.html Installed and tested without issues. Tested: - HTTP(S) 1.1, HTTP(S) 2, FTP(S), SCP, SFTP, IMAP. - HTTP GET, POST, HEAD. All that was tested worked as expected. No issues noticed. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.10.27-desktop-1.mga7 #1 SMP Wed Mar 31 00:16:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep curl.*7.71 | sort curl-7.71.0-1.2.mga7 lib64curl4-7.71.0-1.2.mga7 libcurl4-7.71.0-1.2.mga7 CC:
(none) =>
mageia Tested in a VirtualBox mga8 64-bit Plasma guest. No installation issues. After installation, ensured that curl was to be used for downloading in drakrpm, then downloaded and installed several games from the math.princeton repo. No issues noted. OK for mga8. Validating. Advisory in Comment 3. CC:
(none) =>
andrewsfarm, sysadmin-bugs
Aurelien Oudelet
2021-04-12 16:33:39 CEST
CC:
(none) =>
ouaurelien An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0186.html Resolution:
(none) =>
FIXED Debian has issued an advisory for this on March 30: https://www.debian.org/security/2021/dsa-4881 |