| Summary: | curl new security issues CVE-2024-2004, CVE-2024-2379, CVE-2024-2398 and CVE-2024-2466 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, herman.viaene, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK, has_procedure | ||
| Source RPM: | curl-8.6.0-3.mga10.src.rpm | CVE: | CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466 |
| Status comment: | Fixed upstream in 8.7.0 and patches available from upstream | ||
|
Description
Nicolas Salguero
2024-03-27 10:58:10 CET
Nicolas Salguero
2024-03-27 10:58:38 CET
Source RPM:
(none) =>
curl-8.6.0-3.mga10.src.rpm
Nicolas Salguero
2024-03-27 10:59:15 CET
Status comment:
(none) =>
Fixed upstream in 8.7.0 and patches available from upstream Assigning this to you, Dan, as you seem to be the principle maintainer of curl. Assignee:
bugsquad =>
dan I should probably make that official… Status:
NEW =>
ASSIGNED Only CVE-2024-2398 and CVE-2024-2004 apply to mga9 (ver. 7.88.1) as well as our package of 8.6.0 in Cauldron. I have a feeling there will a point release in a few days and since neither of them are high severity I'll hold off on updating Cauldron for the moment. I accidentally bumped the rel instead of the subrel, but curl-7.88.1-4.3.mga9 is now available in updates_testing (the rel bump shouldn't matter because cauldron is way ahead of this version). Proposed advisory: Patched curl/libcurl fixes security vulnerabilities CVE-2024-2004: Usage of disabled protocol If all protocols are disabled at run-time with none being added, curl/libcurl would still allow communication with the default set of allowed protocols, including some that are unencrypted. CVE-2024-2398: HTTP/2 push headers memory-leak A memory leak could occur when an application enabled HTTP/2 server push and the server sent a large number of headers. References: https://curl.se/docs/CVE-2024-2004.html https://curl.se/docs/CVE-2024-2398.html New RPMs: - i586: curl-examples-7.88.1-4.3.mga9.noarch.rpm libcurl4-7.88.1-4.3.mga9.i586.rpm curl-7.88.1-4.3.mga9.i586.rpm libcurl-devel-7.88.1-4.3.mga9.i586.rpm curl-debugsource-7.88.1-4.3.mga9.i586.rpm curl-debuginfo-7.88.1-4.3.mga9.i586.rpm libcurl4-debuginfo-7.88.1-4.3.mga9.i586.rpm - x86_64: curl-examples-7.88.1-4.3.mga9.noarch.rpm lib64curl-devel-7.88.1-4.3.mga9.x86_64.rpm lib64curl4-7.88.1-4.3.mga9.x86_64.rpm curl-7.88.1-4.3.mga9.x86_64.rpm curl-debuginfo-7.88.1-4.3.mga9.x86_64.rpm curl-debugsource-7.88.1-4.3.mga9.x86_64.rpm lib64curl4-debuginfo-7.88.1-4.3.mga9.x86_64.rpm - armv7hl: libcurl-devel-7.88.1-4.3.mga9.armv7hl.rpm libcurl4-7.88.1-4.3.mga9.armv7hl.rpm curl-examples-7.88.1-4.3.mga9.noarch.rpm curl-7.88.1-4.3.mga9.armv7hl.rpm curl-debugsource-7.88.1-4.3.mga9.armv7hl.rpm curl-debuginfo-7.88.1-4.3.mga9.armv7hl.rpm libcurl4-debuginfo-7.88.1-4.3.mga9.armv7hl.rpm - aarch64: lib64curl-devel-7.88.1-4.3.mga9.aarch64.rpm curl-examples-7.88.1-4.3.mga9.noarch.rpm lib64curl4-7.88.1-4.3.mga9.aarch64.rpm curl-7.88.1-4.3.mga9.aarch64.rpm curl-debuginfo-7.88.1-4.3.mga9.aarch64.rpm lib64curl4-debuginfo-7.88.1-4.3.mga9.aarch64.rpm curl-debugsource-7.88.1-4.3.mga9.aarch64.rpm - source: curl-7.88.1-4.3.mga9.src.rpm Test procedure for CVE-2024-2004: Run: curl --no-progress-meter --proto -all http://curl.se The result should be: curl: (1) Protocol "http" disabled If the result is no output, curl is buggy. I'm not aware of an easy test procedure for CVE-2024-2398. Whiteboard:
MGA9TOO =>
MGA9TOO, has_procedure
katnatek
2024-03-27 23:42:43 CET
Keywords:
(none) =>
advisory
katnatek
2024-03-27 23:45:43 CET
Assignee:
dan =>
qa-bugs RH mageia 9 x86_64 Before the update curl --no-progress-meter --proto -all http://curl.se Produce empty output LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing lib64curl4-7.88.1-4.3.mga9.x86_64.rpm lib64curl-devel-7.88.1-4.3.mga9.x86_64.rpm curl-7.88.1-4.3.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/3: lib64curl4 ################################################################################################## 2/3: lib64curl-devel ################################################################################################## 3/3: curl ################################################################################################## 1/3: removing lib64curl-devel-1:7.88.1-3.3.mga9.x86_64 ################################################################################################## 2/3: removing curl-1:7.88.1-3.3.mga9.x86_64 ################################################################################################## 3/3: removing lib64curl4-1:7.88.1-3.3.mga9.x86_64 ################################################################################################## After the update curl --no-progress-meter --proto -all http://curl.se curl: (1) Protocol "http" not supported or disabled in libcurl MGA9-64 Plasma Wayland on HP-Pavillion No installation issues Ref bug 32362 for testing and comment 5 above: $ curl --no-progress-meter --proto -all http://curl.se curl: (1) Protocol "http" not supported or disabled in libcurl Tests as in bug 32362, but tor test omitted (not enough time) $ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4252 100 4219 100 33 11406 89 --:--:-- --:--:-- --:--:-- 11523 $ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4301 100 4268 100 33 23374 180 --:--:-- --:--:-- --:--:-- 23502 $ grep ' = ' /tmp/out.html <li><code>yummy = chocolate</code></li> Looks OK for me AFAICS CC:
(none) =>
herman.viaene
katnatek
2024-03-28 18:41:57 CET
CC:
(none) =>
andrewsfarm
katnatek
2024-03-28 18:42:35 CET
Whiteboard:
MGA9TOO, has_procedure =>
MGA9-64-OK, has_procedure Validating. CC:
(none) =>
sysadmin-bugs An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0099.html Status:
ASSIGNED =>
RESOLVED |