Bug 30794

Summary: curl new security issue CVE-2022-35252
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, guillaume.royer, herman.viaene, nicolas.salguero, smelror, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: curl-7.74.0-1.7.mga8.src.rpm CVE: CVE-2022-35252
Status comment:

Description David Walser 2022-08-31 22:38:41 CEST 
cURL has issued an advisory today (August 31):
https://curl.se/docs/CVE-2022-35252.html

The issue is fixed upstream in 7.85.0.

Mageia 8 is also affected.
David Walser 2022-08-31 22:39:02 CEST

CC: (none) => smelror
Status comment: (none) => Fixed upstream in 7.85.0
Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Salguero 2022-09-01 13:15:42 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Control code in cookie denial of service. (CVE-2022-35252)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35252
https://curl.se/docs/CVE-2022-35252.html
========================

Updated packages in core/updates_testing:
========================
curl-7.74.0-1.8.mga8
curl-examples-7.74.0-1.8.mga8
lib(64)curl4-7.74.0-1.8.mga8
lib(64)curl-devel-7.74.0-1.8.mga8

from SRPM:
curl-7.74.0-1.8.mga8.src.rpm

Assignee: bugsquad => qa-bugs
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Source RPM: curl-7.84.0-1.mga9.src.rpm => curl-7.74.0-1.7.mga8.src.rpm
Version: Cauldron => 8
CVE: (none) => CVE-2022-35252
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 7.85.0 => (none)

Comment 2 David Walser 2022-09-02 18:32:16 CEST 
Ubuntu has issued an advisory for this on September 1:
https://ubuntu.com/security/notices/USN-5587-1
Comment 3 David Walser 2022-09-06 21:27:42 CEST 
Fedora has issued an advisory for this today (September 6):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TXSXGBF37COLVO73E7EGYA34POPEHESU/
Comment 4 Guillaume Royer 2022-09-12 15:54:12 CEST 
MGA8 64

Updated with QA repo and rmps:

curl-7.74.0-1.8.mga8
curl-examples-7.74.0-1.8.mga8
lib(64)curl4-7.74.0-1.8.mga8
lib(64)curl-devel-7.74.0-1.8.mga8

No installation issue.

curl --version
curl 7.74.0 (x86_64-mageia-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1q zlib/1.2.12 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.9.6/gnutls/zlib nghttp2/1.42.0
Release-Date: 2020-12-09
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets


curl -I https://www.mageia.org/fr/
HTTP/1.1 200 OK
Date: Mon, 12 Sep 2022 13:34:38 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8

CC: (none) => guillaume.royer

Comment 5 Herman Viaene 2022-09-15 16:57:38 CEST 
MGA8-64 Plasma on Acer Aspire 5253
No installation issues
Ref bug 30410 for testing
$ curl https://www.keycdn.com
<!doctype html><html lang=en prefix="og: http://ogp.me/ns#"><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=version content="e1dba63e99ec2d19c042d862faa82e014d93583f"><title>KeyCDN - Content delivery made easy</title><meta name=description content="KeyCDN is a high performance content delivery network (CDN). Our global network will deliver any digital content, such as a website, software, or game, at a blazing fast speed."><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@KeyCDN"><meta name=twitter:creator content="@KeyCDN"><meta property
etc ......

$ curl -I https://www.keycdn.com/keycdn.com/
HTTP/2 301 
server: keycdn-engine
date: Thu, 15 Sep 2022 13:12:50 GMT
content-type: text/html
content-length: 162
location: https://www.keycdn.com/keycdn.com
expires: Thu, 22 Sep 2022 13:12:50 GMT
cache-control: max-age=604800
strict-transport-security: max-age=31536000; includeSubdomains; preload
content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
x-cache: MISS
x-edge-location: nlam
access-control-allow-origin: *

$ curl -o myfile.css https://www.keycdn.com/css/animate.min.css
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1438  100  1438    0     0   8610      0 --:--:-- --:--:-- --:--:--  8662

$ curl -v https://geekflare.com
*   Trying 172.66.43.163:443...
* Connected to geekflare.com (172.66.43.163) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
etc ... and at the end
* Connection #0 to host geekflare.com left intact

This seems all to be correct.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2022-09-16 02:43:39 CEST 
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-09-16 19:54:05 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-09-16 21:41:44 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0333.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED