Bug 29278

Summary: curl new security issues CVE-2021-2292[2-5]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: curl-7.74.0-1.2.mga8.src.rpm CVE: CVE-2021-2292[2-5]
Status comment:

Description David Walser 2021-07-21 16:32:29 CEST 
cURL has issued advisories today (July 21):
https://curl.se/docs/CVE-2021-22922.html
https://curl.se/docs/CVE-2021-22923.html
https://curl.se/docs/CVE-2021-22924.html
https://curl.se/docs/CVE-2021-22925.html

The issues are fixed upstream in 7.78.0.

Mageia 8 is also affected.
Comment 1 David Walser 2021-07-21 16:34:14 CEST 
Note that there's no patches for the first two CVEs; the fix is disabling metalink support in curl.

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 7.78.0

Comment 2 David Walser 2021-07-21 16:54:24 CEST 
SUSE has issued an advisory for this today (July 21):
https://lists.suse.com/pipermail/sle-security-updates/2021-July/009187.html
Comment 3 Lewis Smith 2021-07-21 20:13:24 CEST 
This 'nobody' SRPM has been committed by different people, so assigning the bug globally.

Assignee: bugsquad => pkg-bugs

Comment 4 Nicolas Salguero 2021-07-22 13:24:26 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Wrong content via metalink not discarded. (CVE-2021-22922)

Metalink download sends credentials. (CVE-2021-22923)

Bad connection reuse due to flawed path name checks. (CVE-2021-22924)

TELNET stack contents disclosure again. (CVE-2021-22925)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22922
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22923
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22924
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22925
https://curl.se/docs/CVE-2021-22922.html
https://curl.se/docs/CVE-2021-22923.html
https://curl.se/docs/CVE-2021-22924.html
https://curl.se/docs/CVE-2021-22925.html
https://lists.suse.com/pipermail/sle-security-updates/2021-July/009187.html
========================

Updated packages in core/updates_testing:
========================
curl-7.74.0-1.3.mga8
curl-examples-7.74.0-1.3.mga8
lib(64)curl4-7.74.0-1.3.mga8
lib(64)curl-devel-7.74.0-1.3.mga8

from SRPM:
curl-7.74.0-1.3.mga8.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Source RPM: curl-7.77.0-1.mga9.src.rpm => curl-7.74.0-1.2.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 7.78.0 => (none)

Comment 5 David Walser 2021-07-23 21:52:10 CEST 
Ubuntu has issued an advisory for this on July 22:
https://ubuntu.com/security/notices/USN-5021-1
Comment 6 David Walser 2021-07-25 21:32:12 CEST 
curl command works fine for downloading a few things.  Since it was just patched and has an extensive build-time test suite, extensive QA testing is not necessary.  OK for Mageia 8 x86_64.

Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2021-07-26 03:17:16 CEST 
Validating. Advisory in Comment 4.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-07-27 20:46:03 CEST

CVE: (none) => CVE-2021-2292[2-5]
Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 8 Mageia Robot 2021-07-27 22:23:43 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0384.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED