Upstream has issued an advisory today (January 8):
The issue is fixed upstream in 7.40.0 (freeze push requested for Cauldron) and there's a patch available.
Note: 7.40.0 also fixes CVE-2014-8151, which only affects Mac OS X and iOS.
Patched packages uploaded for Mageia 4.
Updated curl packages fix security vulnerability:
When libcurl sends a request to a server via a HTTP proxy, it copies the
entire URL into the request and sends if off. If the given URL contains line
feeds and carriage returns those will be sent along to the proxy too, which
allows the program to for example send a separate HTTP request injected
embedded in the URL (CVE-2014-8150).
Updated packages in core/updates_testing:
Steps to Reproduce:
MGA4-64 on HP Probook 6555b KDE
ref testcases Comment 4
I did no try IMAP
Last 3 examples complete successfully.
The test on pop3 : mixed bag. Tried with 3 different providers:
one: responds : curl: (67) Authentication cancelled
second (gmail): just times out
third retrieves mail OK.
has_procedure MGA4-64 OK
Comment 4 on bug 14468.
MGA4-32 on AcerD620 Xfce
Tests 1, 3, 4 and 5 as above OK
has_procedure MGA4-64 OK =>
has_procedure MGA4-64 OK MGA4-32-OK
has_procedure MGA4-64 OK MGA4-32-OK =>
has_procedure MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded.
Please push to 4 updates
has_procedure MGA4-64-OK MGA4-32-OK =>
has_procedure advisory MGA4-64-OK MGA4-32-OKCC:
Debian has issued an advisory for this on January 8:
An update for this issue has been pushed to Mageia Updates repository.