Upstream has issued two advisories today (September 10): http://curl.haxx.se/docs/adv_20140910A.html http://curl.haxx.se/docs/adv_20140910B.html The second only affects the versions in Mageia 4 and Cauldron. The first affects Mageia 3, Mageia 4, and Cauldron. The issue is fixed in 7.38.0 (in SVN for Cauldron, awaiting a push) and with patches from upstream (committed in SVN for Mageia 3 and Mageia 4). Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO, MGA3TOO
Updated package uploaded for Cauldron. Patched packages uploaded for Mageia 3 and Mageia 4. Advisory (Mageia 3): ======================== Updated curl packages fix security vulnerabilities: In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site (CVE-2014-3613). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3613 http://curl.haxx.se/docs/adv_20140910A.html ======================== Updated packages in core/updates_testing: ======================== curl-7.28.1-6.5.mga3 libcurl4-7.28.1-6.5.mga3 libcurl-devel-7.28.1-6.5.mga3 curl-examples-7.28.1-6.5.mga3 from curl-7.28.1-6.5.mga3.src.rpm Advisory (Mageia 4): ======================== Updated curl packages fix security vulnerabilities: In cURL before 7.38.0, libcurl can be fooled to both sending cookies to wrong sites and into allowing arbitrary sites to set cookies for others. For this problem to trigger, the client application must use the numerical IP address in the URL to access the site (CVE-2014-3613). In cURL before 7.38.0, libcurl wrongly allows cookies to be set for Top Level Domains (TLDs), thus making them apply broader than cookies are allowed. This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain (CVE-2014-3620). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3613 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3620 http://curl.haxx.se/docs/adv_20140910A.html http://curl.haxx.se/docs/adv_20140910B.html ======================== Updated packages in core/updates_testing: ======================== curl-7.34.0-1.3.mga4 libcurl4-7.34.0-1.3.mga4 libcurl-devel-7.34.0-1.3.mga4 curl-examples-7.34.0-1.3.mga4 from curl-7.34.0-1.3.mga4.src.rpm
Version: Cauldron => 4Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=4307#c11
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Debian has issued an advisory for this on September 10: https://www.debian.org/security/2014/dsa-3022
URL: (none) => http://lwn.net/Vulnerabilities/611591/
Oops, forgot to assign to QA.
Assignee: bugsquad => qa-bugs
Testing complete MGA4 64 following procedure linked in comment #2, just had to change the ftp URLs to another mirror and another RPM.
CC: (none) => stormi
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA4-64-OK
Testing complete mga3 32 For another mirror and another RPM try these :) curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/ and curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm
Whiteboard: MGA3TOO has_procedure MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok MGA4-64-OK
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK
Testing in mga4 x86_64 The exact commands from comment #6 worked fine.
CC: (none) => tarazed25
curl -L www.mageia.org > test.html The site came up in Firefox with no errors.
Hardware: i586 => x86_64
(In reply to Len Lawrence from comment #9) > curl -L www.mageia.org > test.html > > The site came up in Firefox with no errors. Well at least the documentation links worked - others treated as local links.
Hardware: x86_64 => All
Following procedure from Comment2 Testing on MGA3 x86_64 in Virtualbox Everything OK for me as well Testing on MGA4 x86_64 using the same procedure Everything OK except curl imap://login:password@imap.free.fr returns list of folders : * LIST () "/" Trash * LIST () "/" INBOX/sent-mail * LIST () "/" Sent * LIST () "/" INBOX instead of the first message.
CC: (none) => olchalVersion: 4 => Cauldron
Don't change the version assignment on the bugs.
Version: Cauldron => 4
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok MGA4-64-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK
Validating. Separate advisories uploaded for mga3 and 4. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OK => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0384.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0385.html