Debian has issued an advisory on November 17:
The upstream advisory for this issue is here:
Cauldron is not affected as it was fixed upstream in 7.33.0.
Patched packages uploaded for Mageia 2 and Mageia 3.
Updated curl packages fix security vulnerability:
Scott Cantor discovered that curl, a file retrieval tool, would disable the
CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was
disabled. This would also disable ssl certificate host name checks when it
should have only disabled verification of the certificate trust chain
Updated packages in core/updates_testing:
Steps to Reproduce:
Advisory uploaded. Please remove the 'advisory' whiteboard tag if anything changes.
MGA2TOO has_procedure =>
MGA2TOO has_procedure advisory
Tested successfully on mga2 x86 with procedure in comment#1, except using pop3s and imaps instead of pop3 and imap, respectively.
(In reply to Dan Fandrich from comment #3)
> Tested successfully on mga2 x86 with procedure in comment#1, except using
> pop3s and imaps instead of pop3 and imap, respectively.
I assume you mean i586. Adding the whiteboard marker. Thanks for testing, Dan.
MGA2TOO has_procedure advisory =>
MGA2TOO has_procedure advisory MGA2-32-OK
Testing complete mga2 64
MGA2TOO has_procedure advisory MGA2-32-OK =>
MGA2TOO has_procedure advisory MGA2-32-OK mga2-64-ok
Testing complete x86_64, but not testing pop3 because not sure if it would remove the mail from the server.
It doesn't remove it Samuel. Thanks for testing.
Testing complete mga3 32 & 64
Could sysadmin please push from 2&3 core/updates_testing to updates.
MGA2TOO has_procedure advisory MGA2-32-OK mga2-64-ok =>
MGA2TOO has_procedure advisory MGA2-32-OK mga2-64-ok mga3-32-ok mga3-64-okCC:
FYI, adding this patch to the Mageia 2 version of curl uncovered a bug in curl with the --insecure option, where that option should disable SSL host verification and fails to do so. This was fixed in newer versions of curl, so Mageia 3 is unaffected. I've have added the simple one-liner fix in Mageia 2 SVN to fix this, but I won't push for a bugfix update unless someone thinks it's really important.