Debian has issued an advisory on November 17: http://lists.debian.org/debian-security-announce/2013/msg00212.html The upstream advisory for this issue is here: http://curl.haxx.se/docs/adv_20131115.html Cauldron is not affected as it was fixed upstream in 7.33.0. Patched packages uploaded for Mageia 2 and Mageia 3. Advisory: ======================== Updated curl packages fix security vulnerability: Scott Cantor discovered that curl, a file retrieval tool, would disable the CURLOPT_SSLVERIFYHOST check when the CURLOPT_SSL_VERIFYPEER setting was disabled. This would also disable ssl certificate host name checks when it should have only disabled verification of the certificate trust chain (CVE-2013-4545). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4545 http://curl.haxx.se/docs/adv_20131115.html http://www.debian.org/security/2013/dsa-2798 ======================== Updated packages in core/updates_testing: ======================== curl-7.24.0-1.3.mga2 libcurl4-7.24.0-1.3.mga2 libcurl-devel-7.24.0-1.3.mga2 curl-examples-7.24.0-1.3.mga2 curl-7.28.1-6.2.mga3 libcurl4-7.28.1-6.2.mga3 libcurl-devel-7.28.1-6.2.mga3 curl-examples-7.28.1-6.2.mga3 from SRPMS: curl-7.24.0-1.3.mga2.src.rpm curl-7.28.1-6.2.mga3.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
Procedure: https://bugs.mageia.org/show_bug.cgi?id=4307#c11
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Advisory uploaded. Please remove the 'advisory' whiteboard tag if anything changes.
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure advisory
Tested successfully on mga2 x86 with procedure in comment#1, except using pop3s and imaps instead of pop3 and imap, respectively.
CC: (none) => dan
(In reply to Dan Fandrich from comment #3) > Tested successfully on mga2 x86 with procedure in comment#1, except using > pop3s and imaps instead of pop3 and imap, respectively. I assume you mean i586. Adding the whiteboard marker. Thanks for testing, Dan.
Whiteboard: MGA2TOO has_procedure advisory => MGA2TOO has_procedure advisory MGA2-32-OK
Testing complete mga2 64
Whiteboard: MGA2TOO has_procedure advisory MGA2-32-OK => MGA2TOO has_procedure advisory MGA2-32-OK mga2-64-ok
Testing complete x86_64, but not testing pop3 because not sure if it would remove the mail from the server.
It doesn't remove it Samuel. Thanks for testing. Testing complete mga3 32 & 64 Validating. Could sysadmin please push from 2&3 core/updates_testing to updates. Thanks!
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure advisory MGA2-32-OK mga2-64-ok => MGA2TOO has_procedure advisory MGA2-32-OK mga2-64-ok mga3-32-ok mga3-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0338.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
FYI, adding this patch to the Mageia 2 version of curl uncovered a bug in curl with the --insecure option, where that option should disable SSL host verification and fails to do so. This was fixed in newer versions of curl, so Mageia 3 is unaffected. I've have added the simple one-liner fix in Mageia 2 SVN to fix this, but I won't push for a bugfix update unless someone thinks it's really important. References: http://lists.debian.org/debian-security-announce/2013/msg00213.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729965