cURL 7.42.0 has been released today (April 22): http://curl.haxx.se/changes.html#7_42_0 There are 4 associated security advisories: http://curl.haxx.se/docs/adv_20150422D.html (CVE-2015-3144) http://curl.haxx.se/docs/adv_20150422C.html (CVE-2015-3145) http://curl.haxx.se/docs/adv_20150422B.html (CVE-2015-3148) http://curl.haxx.se/docs/adv_20150422A.html (CVE-2015-3143) We have curl 7.34.0 in Mageia 4, which the advisory says is not affected by CVE-2015-3144. The linked upstream patches for CVE-2015-3143 and CVE-2015-3145 apply cleanly to 7.34.0. The CVE-2015-3148 patch does not apply, and looking at the code, I don't see how 7.34.0 is affected, even though the advisory says that it is. Dan, do you have any insight on this? Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Debian has issued an advisory for this today (April 22): https://lists.debian.org/debian-security-announce/2015/msg00120.html I see in this commit for wheezy where they had to also add an intermediate commit to introduce the code that was patched in the CVE-2015-3148 patch: http://anonscm.debian.org/cgit/collab-maint/curl.git/commit/?h=wheezy&id=3f23fac29df7fe42fab32e32152c1f3102cab9e4 It's not clear to me how this isn't just introducing the vulnerability and then fixing it, but I guess I'm missing something. I'll add the additional patch.
Patches checked into Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron. The DSA referenced above will be posted here: https://www.debian.org/security/2015/dsa-3232
URL: (none) => http://lwn.net/Vulnerabilities/641423/
The extra Debian patch isn't introducing the vulnerability; rather it's fixing a GSS data structure lifetime issue that doesn't affect connection reuse. Frankly, I'm a bit surprised Negotiate worked at all without that patch (Negotiate is not covered by the curl test suite, unfortunately). It's the connclose() call in the CVE-3148 patch that fixes the security issue, and it could also have been applied by rediffing the patch. But, I think the current set of patches in SVN is a better solution; I'm happy with what I see there now. Thanks for taking care of this.
Assignee: dan => luigiwalser
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated curl packages fix security vulnerabilities: NTLM-authenticated connections could be wrongly reused for requests without any credentials set, leading to HTTP requests being sent over the connection authenticated as a different user (CVE-2015-3143). When parsing HTTP cookies, if the parsed cookie's "path" element consists of a single double-quote, libcurl would try to write to an invalid heap memory address. This could allow remote attackers to cause a denial of service (crash) (CVE-2015-3145). When doing HTTP requests using the Negotiate authentication method along with NTLM, the connection used would not be marked as authenticated, making it possible to reuse it and send requests for one user over the connection authenticated as a different user (CVE-2015-3148). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3148 http://curl.haxx.se/docs/adv_20150422A.html http://curl.haxx.se/docs/adv_20150422D.html http://curl.haxx.se/docs/adv_20150422B.html https://www.debian.org/security/2015/dsa-3232 ======================== Updated packages in core/updates_testing: ======================== curl-7.34.0-1.6.mga4 libcurl4-7.34.0-1.6.mga4 libcurl-devel-7.34.0-1.6.mga4 curl-examples-7.34.0-1.6.mga4 from curl-7.34.0-1.6.mga4.src.rpm
Version: Cauldron => 4Assignee: luigiwalser => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
Testing reference: https://bugs.mageia.org/show_bug.cgi?id=14468#c4 Testing MGA4 x64 real hardware. With latest issued curl, did tests 1 3 4 5, saved their ouptut. Updated to: curl-7.34.0-1.6.mga4 lib64curl4-7.34.0-1.6.mga4 and re-ran the same 4 tests, again saving their output. Compared the pre & post outputs, all of which were identical apart from hidden token values in a web page (Bug 14468). OK.
CC: (none) => lewyssmithWhiteboard: (none) => MGA4-64-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-64-OK => has_procedure advisory MGA4-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0179.html
Status: NEW => RESOLVEDResolution: (none) => FIXED