Upstream has issued an advisory today (January 29): http://curl.haxx.se/docs/adv_20140129.html The issue is fixed in 7.35.0, and there is a patch available. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Debian has issued an advisory for this today (January 31): http://www.debian.org/security/2014/dsa-2849
URL: (none) => http://lwn.net/Vulnerabilities/583667/
Updated (in Cauldron) and patched packages (Mageia 3/4) uploaded by Funda. Advisory: ======================== Updated curl packages fix security vulnerabilities: Paras Sethia discovered that libcurl, a client-side URL transfer library, would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user (CVE-2014-0015). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 http://curl.haxx.se/docs/adv_20140129.html http://www.debian.org/security/2014/dsa-2849 ======================== Updated packages in core/updates_testing: ======================== curl-7.28.1-6.3.mga3 libcurl4-7.28.1-6.3.mga3 libcurl-devel-7.28.1-6.3.mga3 curl-examples-7.28.1-6.3.mga3 curl-7.34.0-1.1.mga4 libcurl4-7.34.0-1.1.mga4 libcurl-devel-7.34.0-1.1.mga4 curl-examples-7.34.0-1.1.mga4 from SRPMS: curl-7.28.1-6.3.mga3.src.rpm curl-7.34.0-1.1.mga4.src.rpm
CC: (none) => fundawangVersion: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
*** Bug 12577 has been marked as a duplicate of this bug. ***
both in cauldron and in Mageia 4 I have many errors now when trying to install packages and updates. I don't have a clue whether it is related to the new curl package, in Mga 4 I have [u@localhost Desktop]$ rpm -qa | grep curl libcurl4-7.34.0-1.1.mga4 curl-7.34.0-1.1.mga4 In Mageia 4 this first occurred right after I had installed the new curl https://bugs.mageia.org/show_bug.cgi?id=12608 don't have time to downgrade the curl packages now, sorry
CC: (none) => marja11
2014:02:06:13:21 < neoclust> marja: i confirm that reverting curl fixes my urpmi pbs Don't know whether he meant 4 or cauldron, but I just tried the same in 4. Downgrading to the 7.34.0.1.mga4 version of the packages solves the problem here, too For me and on Mga4, this is for i586 @ Funda Can you please look into this again?
CC: (none) => stormiWhiteboard: MGA3TOO => MGA3TOO feedback
Depends on: (none) => 12608
Created attachment 4960 [details] cli output of curl install with the timeouts right after it is installed Attaching my cli output from 2½ days ago, because Luigi12 said on IRC the timeouts issue shouldn't affect Mga4. To me it looks very much the same as what I saw in cauldron, except that this is mga4 curl and not mga5.
Dan, do you have any insight on this?
CC: (none) => dan
I got hit, don't know if its a client or server issue. retrieving rpm files from medium "Core Updates Testing"... not using metalink since requested downloader does not handle it retrieving ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing kernel-desktop-latest-3.12.13-2.mga4.x86_64.rpm kernel-desktop-devel-latest-3.12.13-2.mga4.x86_64.rpm kernel-desktop-devel-3.12.13-2.mga4-1-1.mga4.x86_64.rpm kernel-desktop-3.12.13-2.mga4-1-1.mga4.x86_64.rpm virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.6-11.mga4.x86_64.rpm virtualbox-kernel-desktop-latest-4.3.6-11.mga4.x86_64.rpm '/usr/bin/curl' '-q' '--location-trusted' '-R' '-f' '--disable-epsv' '--connect-timeout' '60' '--anyauth' '--stderr' '-' '-O' 'ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-latest-3.12.13-2.mga4.x86_64.rpm' '-O' 'ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-devel-latest-3.12.13-2.mga4.x86_64.rpm' '-O' 'ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-devel-3.12.13-2.mga4-1-1.mga4.x86_64.rpm' '-O' 'ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-3.12.13-2.mga4-1-1.mga4.x86_64.rpm' '-O' 'ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.6-11.mga4.x86_64.rpm' '-O' 'ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/virtualbox-kernel-desktop-latest-4.3.6-11.mga4.x86_64.rpm' ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-latest-3.12.13-2.mga4.x86_64.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-devel-latest-3.12.13-2.mga4.x86_64.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-devel-3.12.13-2.mga4-1-1.mga4.x86_64.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-3.12.13-2.mga4-1-1.mga4.x86_64.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.6-11.mga4.x86_64.rpm ...retrieving failed: curl: (67) Access denied: 530 ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/virtualbox-kernel-desktop-latest-4.3.6-11.mga4.x86_64.rpm ...retrieving failed: curl: (67) Access denied: 530 ...retrieving failed: curl: (67) Access denied: 530 error: curl failed: exited with 67 ...retrieving failed: curl failed: exited with 67 Installation failed, some files are missing: ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-devel-3.12.13-2.mga4-1-1.mga4.x86_64.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-latest-3.12.13-2.mga4.x86_64.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-devel-latest-3.12.13-2.mga4.x86_64.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/virtualbox-kernel-3.12.13-desktop-2.mga4-4.3.6-11.mga4.x86_64.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/virtualbox-kernel-desktop-latest-4.3.6-11.mga4.x86_64.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/x86_64/media/core/updates_testing/kernel-desktop-3.12.13-2.mga4-1-1.mga4.x86_64.rpm You may need to update your urpmi database. Try to continue anyway? (y/N)
After reproducing 4 times, I downgraded curl and lib64curl4 to the release version in mga4, and download succeeded.
See Bug 12608, Dan Fandrich is a Mageia packager and upstream CURL developer and confirmed the problem. He didn't post a link to a report upstream, but hopefully it's being worked on there.
There were a couple of related issues found with this patch, but I believe the current git HEAD now works. I'll try to extract the set of commits that can be back-ported.
There will be another upstream curl release on Wednesday that will fix this issue as well as a few other high-priority ones.
(In reply to Dan Fandrich from comment #12) > There will be another upstream curl release on Wednesday that will fix this > issue as well as a few other high-priority ones. Thanks. Will we be able to get a patch so that we can go forward with the security update for Mageia 3 and Mageia 4?
Sorry about the delay; I'm having trouble finding the sustained time to do this kind of thing lately. I've updated the curl-7.35.0-cve-2014-0015.patch file in the mga4 branch (only) with an update that fixes the issue reported in comment #3 (a.k.a. bug #12608). That should now be ready to go to testing. However, I suggest waiting until 7.36.0 is released Wednesday before pushing this to updates, as that release will include another security fix that we'll want to include.
Thanks Dan. The updated parts of the patch don't apply cleanly in the Mageia 3 branch. What can we do there?
I've rebased the patch against 7.28.1 and checked it into the mga3 branch. I'm not nearly as confident in this patch since a lot has changed since 7.28.1 and 7.35.0, but I'll try to verify it more in a few days.
Upstream has issued two more advisories today (March 26): http://curl.haxx.se/docs/adv_20140326A.html http://curl.haxx.se/docs/adv_20140326B.html Patches checked into Mageia 3 and Mageia 4 SVN. There were actually 2 additional other upstream advisories today, but they only affect Mac OS X and Windows. All of these issues are fixed upstream in 7.36.0, which I uploaded to Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory: ======================== Updated curl packages fix security vulnerabilities: Paras Sethia discovered that libcurl would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user (CVE-2014-0015). libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP, causing a transfer that was initiated by an application to wrongfully re-use an existing connection to the same server that was authenticated using different credentials (CVE-2014-0138). libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses, so under certain conditions, it would allow and use a wildcard match specified in the CN field, allowing a malicious server to participate in a MITM attack or just fool users into believing that it is a legitimate site (CVE-2014-0139). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0015 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0139 http://curl.haxx.se/docs/adv_20140129.html http://curl.haxx.se/docs/adv_20140326A.html http://curl.haxx.se/docs/adv_20140326B.html http://www.debian.org/security/2014/dsa-2849 ======================== Updated packages in core/updates_testing: ======================== curl-7.28.1-6.4.mga3 libcurl4-7.28.1-6.4.mga3 libcurl-devel-7.28.1-6.4.mga3 curl-examples-7.28.1-6.4.mga3 curl-7.34.0-1.2.mga4 libcurl4-7.34.0-1.2.mga4 libcurl-devel-7.34.0-1.2.mga4 curl-examples-7.34.0-1.2.mga4 from SRPMS: curl-7.28.1-6.4.mga3.src.rpm curl-7.34.0-1.2.mga4.src.rpm
Summary: curl new security issue CVE-2014-0015 => curl new security issues CVE-2014-0015, CVE-2014-0138, and CVE-2014-0139Whiteboard: MGA3TOO feedback => MGA3TOO
curl-7.34.0-1.2.mga4 and libcurl4-7.34.0-1.2.mga4 work as expected here on a 32bits system, I did not try any PoCs for the solved security issues, if they exist.
lib64curl4-7.34.0-1.2.mga4 curl-7.34.0-1.2.mga4 work fine on a 64bits system, too. About the testing procedures from https://bugs.mageia.org/show_bug.cgi?id=4307#c11 (they should be used, I suppose?) the first one: $ curl pop3://<login>:<password>@<mailhost>/1 works on an xs4all mailbox, but not on a mailbox I prefer to test with (I get "connection refused"), not even if I escape the "@" in my user name (The user name there is exactly that e-mail address)
"Connection refused" means that either the host, port or protocol is wrong for that account. Try pop3s: to use an encrypted port, or imap: or imaps: in place of pop3.
(In reply to Dan Fandrich from comment #20) > "Connection refused" means that either the host, port or protocol is wrong > for that account. Try pop3s: to use an encrypted port, or imap: or imaps: in > place of pop3. Well, it was the "@" in the username after all, when I replaced it with "%40" everything worked well (both for pop3 and for pop3s) For imap and imaps: I haven't yet found out how to read a mail, but I suppose getting the correct list of directories (like INBOX, TRASH, etc) is good enough as test? I intend to do the other tests from https://bugs.mageia.org/show_bug.cgi?id=4307#c11 later (I'm now doing them in Mga4 on A 64bits system), I'm a bit short on time
all the other tests from https://bugs.mageia.org/show_bug.cgi?id=4307#c11 done on Mga4 64bits, too, now, and all are fine. Not adding mga4-64-ok, though, in case I missed one or more POCs or other things that should have been tested, too
(In reply to Marja van Waes from comment #22) > all the other tests from https://bugs.mageia.org/show_bug.cgi?id=4307#c11 > done on Mga4 64bits, too, now, and all are fine. > > Not adding mga4-64-ok, though, in case I missed one or more POCs or other > things that should have been tested, too All those tests done for mga4 32 bits, too. Everything works just as well as for 64bits. I can't test Mageia 3, sorry.
Procedure: https://bugs.mageia.org/show_bug.cgi?id=4307#c11 Thanks Marja, adding the OK's
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
LWN references for CVE-2014-0138 and CVE-2014-0139: http://lwn.net/Vulnerabilities/592583/ http://lwn.net/Vulnerabilities/592586/
Severity: normal => major
Testing complete mga3-64
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Advisory uploaded. Validating Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
http://advisories.mageia.org/MGASA-2014-0153.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED