Upstream has issued an advisory today (April 29): http://curl.haxx.se/docs/adv_20150429.html The issue is fixed in 7.42.1, and there is a patch available. The patch applies cleanly in curl 7.40.0 in Cauldron. That is committed in SVN and a freeze push has been requested. The patch doesn't even remotely begin to apply to 7.34.0 in Mageia 4. We'll have to wait for someone to do a backported fix. Reproducible: Steps to Reproduce:
Debian and Ubuntu have issued advisories for this on April 29 and 30: https://www.debian.org/security/2015/dsa-3240 http://www.ubuntu.com/usn/usn-2591-1/ Debian has not fixed the issue in Wheezy, nor has Ubuntu fixed it for older versions. It appears, due to the invasive changes in 7.37.0 that the fixes rely on, Debian and Ubuntu will not be backporting fixes to versions older than that. Indeed, Ubuntu's CVE page for this suggests just that: http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3153.html In all likelihood, we won't be fixing this for Mageia 4 either.
URL: (none) => http://lwn.net/Vulnerabilities/642638/
curl-7.40.0-3.mga5 uploaded for Cauldron.
CC: (none) => mageiaHardware: i586 => AllAssignee: bugsquad => shlomif
Whiteboard: (none) => OK
closing as wontfix for mga4 then
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => WONTFIX