Bug 31554

Summary: curl new security issue CVE-2023-23916
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, fri, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: curl-7.74.0-1.10.mga8.src.rpm CVE: CVE-2023-23916
Status comment:

Description David Walser 2023-02-15 17:10:57 CET 
cURL has issued advisories today (February 15):
https://curl.se/docs/CVE-2023-23914.html
https://curl.se/docs/CVE-2023-23915.html
https://curl.se/docs/CVE-2023-23916.html

The issues are fixed upstream in 7.88.0.

Stig-Ørjan has already updated Cauldron.

Mageia 8 is also affected by CVE-2023-23916.
Comment 1 Lewis Smith 2023-02-15 21:06:54 CET 
Assigning to Stig, but if this is not appropriate, CC'ing NicolasS who did the last CVE update.

CC: (none) => nicolas.salguero
Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2023-02-15 22:34:14 CET 
7.88.0 was sent to the build system for Cauldron earlier today.
Comment 3 David Walser 2023-02-15 22:35:13 CET 
(In reply to Stig-Ørjan Smelror from comment #2)
> 7.88.0 was sent to the build system for Cauldron earlier today.

Yes, already noted.  Mageia 8 needs to be patched.
Comment 4 Nicolas Salguero 2023-02-16 15:33:36 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

HTTP multi-header compression denial of service. (CVE-2023-23916)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23916
https://curl.se/docs/CVE-2023-23916.html
========================

Updated packages in core/updates_testing:
========================
curl-7.74.0-1.11.mga8
curl-examples-7.74.0-1.11.mga8
lib(64)curl4-7.74.0-1.11.mga8
lib(64)curl-devel-7.74.0-1.11.mga8

from SRPM:
curl-7.74.0-1.11.mga8.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2023-23916
Assignee: smelror => qa-bugs

Comment 5 Herman Viaene 2023-02-17 17:02:53 CET 
As in bug 31306 rebooted, wifi is OK and checked settingsn in Netwerk Center: all OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Morgan Leijström 2023-02-17 17:36:55 CET 
mga8 -64, plasma, nvidia-current, intel i7, Swedish

Updated existing packages to:
- curl-7.74.0-1.11.mga8.x86_64
- lib64curl-devel-7.74.0-1.11.mga8.x86_64
- lib64curl4-7.74.0-1.11.mga8.x86_64

rebooted.

downloaded a file from internet OK

Due to Bug 24362 - Change default package downloader to wget 
*I* am *not* testing it for updates use

CC: (none) => fri

Comment 7 Thomas Andrews 2023-02-18 15:16:32 CET 
Validating. Advisory in comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-20 20:54:00 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-02-20 22:27:07 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0054.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED