Upstream has issued advisories today (June 17):
Patches committed in Cauldron SVN. They will have to be committed in Mageia 5 SVN after it is branched.
Mageia 4 is not affected.
Steps to Reproduce:
Patched packages uploaded for Mageia 5 and Cauldron.
Updated curl packages fix security vulnerabilities:
libcurl can wrongly send HTTP credentials when re-using connections. Even if
the handle for an HTTP connection is reset, it retains the credentials, which
can cause them to be unintentionally leaked in subsequent requests
libcurl can get tricked by a malicious SMB server to send off data it did not
intend to. A malicious SMB server can use this to access arbitrary process
memory, or to crash the client, causing a denial of service (CVE-2015-3237).
Updated packages in core/updates_testing:
Fedora has issued an advisory for this on June 20:
tested mga5 for 32 and 64bit. No specific poc found, so used tests as linked in comment 1 (expect using pop3s and imaps):
everything is working as expected.
Please upload advisory and validate package. Thanks
has_procedure MGA5-32-OK MGA5-6
has_procedure MGA5-32-OK MGA5-6 =>
has_procedure MGA5-32-OK MGA5-64-OK
Advisory committed to svn.
Someone from the sysadmin team please push 16140.adv to updates.
has_procedure MGA5-32-OK MGA5-64-OK =>
has_procedure MGA5-32-OK MGA5-64-OK advisoryCC:
An update for this issue has been pushed to Mageia Updates repository.