Bug 31703

Summary: curl new security issues CVE-2023-2753[3-8], CVE-2023-28319, CVE-2023-2832[0-2], CVE-2023-38039
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, luigiwalser, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Source RPM: curl-7.88.1-3.mga9.src.rpm CVE:
Status comment:

Description Nicolas Salguero 2023-03-20 16:00:09 CET 
cURL has issued advisories today (March 20):
https://curl.se/docs/CVE-2023-27533.html
https://curl.se/docs/CVE-2023-27534.html
https://curl.se/docs/CVE-2023-27535.html
https://curl.se/docs/CVE-2023-27536.html
https://curl.se/docs/CVE-2023-27537.html
https://curl.se/docs/CVE-2023-27538.html

The issues are fixed upstream in 8.0.0.

Mageia 8 is also affected by all those issues except CVE-2023-27537.
Nicolas Salguero 2023-03-20 16:01:00 CET

Whiteboard: (none) => MGA8TOO
CC: (none) => nicolas.salguero
Source RPM: (none) => curl-7.88.1-1.mga9.src.rpm

Comment 1 Nicolas Salguero 2023-03-20 16:15:48 CET 
cURL 8.0.1 was released to fix a bug present in 8.0.0.

Status comment: (none) => Fixed upstream in 8.0.1

Comment 2 David Walser 2023-03-20 17:57:19 CET 
*** Bug 31704 has been marked as a duplicate of this bug. ***

CC: (none) => luigiwalser

Comment 3 David Walser 2023-03-20 18:27:18 CET 
Ubuntu has issued an advisory for this today (March 20):
https://ubuntu.com/security/notices/USN-5964-1
Comment 4 Lewis Smith 2023-03-20 21:41:39 CET 
Assigning to Stig who currently updates curl.

Assignee: bugsquad => smelror

Comment 5 Stig-Ørjan Smelror 2023-03-22 16:05:10 CET 
I've sent this over to my Padawan to look at. Will update when he's done the necessary changes.
Comment 6 Nicolas Salguero 2023-03-22 16:25:12 CET 
Hi,

Sorry to have cut the grass underfoot.

For Cauldron, I added the patches from Debian.

For Mga8, I had to mix and adapt the patches from Ubuntu.

Best regards,

Nico.
Comment 7 Stig-Ørjan Smelror 2023-03-22 16:42:02 CET 
(In reply to Nicolas Salguero from comment #6)
> Hi,
> 
> Sorry to have cut the grass underfoot.
> 
> For Cauldron, I added the patches from Debian.
> 
> For Mga8, I had to mix and adapt the patches from Ubuntu.
> 
> Best regards,
> 
> Nico.

No worries :-)
Comment 8 David Walser 2023-05-18 18:14:30 CEST 
(In reply to Nicolas Salguero from comment #6)
> Hi,
> 
> Sorry to have cut the grass underfoot.
> 
> For Cauldron, I added the patches from Debian.
> 
> For Mga8, I had to mix and adapt the patches from Ubuntu.
> 
> Best regards,
> 
> Nico.

Are we going to push a build with these fixes?
Comment 9 David Walser 2023-05-18 18:38:58 CEST 
cURL has issued advisories on May 17:
https://curl.se/docs/CVE-2023-28319.html
https://curl.se/docs/CVE-2023-28320.html
https://curl.se/docs/CVE-2023-28321.html
https://curl.se/docs/CVE-2023-28322.html

The issues are fixed upstream in 8.0.1.

Mageia 8 is affected by all but CVE-2023-28319.

Summary: curl new security issues CVE-2023-2753[3-8] => curl new security issues CVE-2023-2753[3-8], CVE-2023-28319, CVE-2023-2832[0-2]

Comment 10 David Walser 2023-05-18 18:39:51 CEST 
Correction, the new issues are fixed upstream in 8.1.0:
https://curl.se/changes.html

Status comment: Fixed upstream in 8.0.1 => Fixed upstream in 8.1.0

Comment 11 David Walser 2023-05-19 20:27:38 CEST 
SUSE has issued an advisory for the latest issues on May 17:
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014913.html
Comment 12 Nicolas Salguero 2023-06-02 09:10:45 CEST 
Hi,

curl-7.88.1-3.mga9 fixes all those CVEs.

Best regards,

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 13 Nicolas Salguero 2023-06-02 09:12:10 CEST 
I forgot to say that curl-7.74.0-1.12.mga8 fixes CVE-2023-2753[3-8], CVE-2023-28319.
Comment 14 Nicolas Salguero 2023-06-02 09:12:43 CEST 
Oops, only CVE-2023-2753[3-8], not CVE-2023-28319.
Comment 15 David Walser 2023-08-04 17:03:52 CEST 
cURL has issued an advisory on July 19:
https://curl.se/docs/CVE-2023-32001.html

The issue is fixed upstream in 8.2.0.

Mageia 8 is also affected.

Summary: curl new security issues CVE-2023-2753[3-8], CVE-2023-28319, CVE-2023-2832[0-2] => curl new security issues CVE-2023-2753[3-8], CVE-2023-28319, CVE-2023-2832[0-2], CVE-2023-32001
Version: 8 => Cauldron
Status comment: Fixed upstream in 8.1.0 => Fixed upstream in 8.2.0
Whiteboard: (none) => MGA8TOO

Comment 16 Nicolas Salguero 2023-09-15 15:12:41 CEST 
CVE-2023-32001 was finally rejected as it is no more considered as a security issue.

cURL has issued an advisory on September 13:
https://curl.se/docs/CVE-2023-38039.html

The issue is fixed upstream in 8.3.0.

Mageia 8 is not affected by that CVE.

Version: Cauldron => 9
Status comment: Fixed upstream in 8.2.0 => Fixed upstream in 8.3.0
Summary: curl new security issues CVE-2023-2753[3-8], CVE-2023-28319, CVE-2023-2832[0-2], CVE-2023-32001 => curl new security issues CVE-2023-2753[3-8], CVE-2023-28319, CVE-2023-2832[0-2], CVE-2023-38039

Comment 17 Nicolas Salguero 2023-09-15 15:14:14 CEST 
Ubuntu has issued an advisory for CVE-2023-38039 on September 13:
https://ubuntu.com/security/notices/USN-6363-1
Comment 18 Nicolas Salguero 2023-09-19 13:46:27 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

TELNET option IAC injection. (CVE-2023-27533)

SFTP path ~ resolving discrepancy. (CVE-2023-27534)

FTP too eager connection reuse. (CVE-2023-27535)

GSS delegation too eager connection re-use. (CVE-2023-27536)

HSTS double free. (CVE-2023-27537)

SSH connection too eager reuse still. (CVE-2023-27538)

UAF in SSH sha256 fingerprint check. (CVE-2023-28319)

siglongjmp race condition. (CVE-2023-28320)

IDN wildcard match. (CVE-2023-28321)

more POST-after-PUT confusion. (CVE-2023-28322)

HTTP headers eat all memory. (CVE-2023-38039)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27533
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27534
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27535
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27536
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27537
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27538
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28319
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28320
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28321
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28322
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38039
https://curl.se/docs/CVE-2023-27533.html
https://curl.se/docs/CVE-2023-27534.html
https://curl.se/docs/CVE-2023-27535.html
https://curl.se/docs/CVE-2023-27536.html
https://curl.se/docs/CVE-2023-27537.html
https://curl.se/docs/CVE-2023-27538.html
https://ubuntu.com/security/notices/USN-5964-1
https://curl.se/docs/CVE-2023-28319.html
https://curl.se/docs/CVE-2023-28320.html
https://curl.se/docs/CVE-2023-28321.html
https://curl.se/docs/CVE-2023-28322.html
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014913.html
https://curl.se/docs/CVE-2023-32001.html
https://curl.se/docs/CVE-2023-38039.html
https://ubuntu.com/security/notices/USN-6363-1
========================

Updated packages in 9/core/updates_testing:
========================
curl-7.88.1-3.1.mga9
curl-examples-7.88.1-3.1.mga9
lib(64)curl4-7.88.1-3.1.mga9
lib(64)curl-devel-7.88.1-3.1.mga9

from SRPM:
curl-7.88.1-3.1.mga9.src.rpm

Updated packages in 8/core/updates_testing:
========================
curl-7.74.0-1.13.mga8
curl-examples-7.74.0-1.13.mga8
lib(64)curl4-7.74.0-1.13.mga8
lib(64)curl-devel-7.74.0-1.13.mga8

from SRPM:
curl-7.74.0-1.13.mga8.src.rpm

Source RPM: curl-7.88.1-1.mga9.src.rpm => curl-7.88.1-3.mga9.src.rpm
Status comment: Fixed upstream in 8.3.0 => (none)
Assignee: smelror => qa-bugs
Status: NEW => ASSIGNED

Comment 19 Dave Hodgins 2023-09-20 19:16:17 CEST 
Tested on m8 and m9. Validating.

CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK MGA9-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2023-09-20 23:22:27 CEST

Keywords: (none) => advisory

Comment 20 Mageia Robot 2023-09-25 00:18:29 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0263.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED