Upstream has released version 1.31 on July 8: http://lists.gnu.org/archive/html/info-gnu/2015-07/msg00003.html This updated version is currently considered a "beta," as it changes the behavior of an API, and they haven't yet committed to retaining that change going forward. We probably shouldn't update it until they do so. It fixes a security issue in applications that use the API in an unsafe manner. It was announced on the oss-security list on July 6 that wget and curl are two applications that are affected: http://openwall.com/lists/oss-security/2015/07/06/5 cURL's approach was to disable libidn support by default, which I have also done in Cauldron. If we are able to update to a "fixed" version of libidn in the future, we can re-enable curl's libidn support in Cauldron at that time. For stable releases, it doesn't sound like it will ever make sense to backport this change in libidn, so disabling curl's libidn support there seems to be the way to go. I have checked this change into Mageia 4 and Mageia 5 SVN. wget has implemented a change to mitigate the impact of this issue, regardless of what libidn does. I have checked this patch into Mageia 4, Mageia 5, and Cauldron SVN. This doesn't sound like a very serious issue to me, so for now, we can include these changes in our next future updates to wget and curl. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
OpenSuSE has issued an advisory for this on July 17: http://lists.opensuse.org/opensuse-updates/2015-07/msg00042.html Interestingly, they updated their stable releases to the libidn 1.31 beta, and Debian-LTS also backported the change.
URL: (none) => http://lwn.net/Vulnerabilities/651768/
libidn 1.32 has been released on August 1, fixing a regression in 1.31: http://lists.gnu.org/archive/html/info-gnu/2015-08/msg00000.html It's still considered a beta, but Debian-LTS, Fedora, and OpenSuSE have gone with it, so let's go with it. It requires an updated gettext to build in Mageia 4, so I'll push the curl and wget packages that I changed in SVN instead (in another bug). Advisory: ======================== Updated libidn packages fix security vulnerability: In libidn before 1.31, stringprep_utf8_to_ucs4 did not validate that the input UTF-8 string was actually valid UTF-8, which could lead to out-of-bounds reads (CVE-2015-2059). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2059 http://lists.gnu.org/archive/html/info-gnu/2015-03/msg00000.html http://lists.gnu.org/archive/html/info-gnu/2015-07/msg00003.html http://lists.gnu.org/archive/html/info-gnu/2015-08/msg00000.html http://lists.opensuse.org/opensuse-updates/2015-07/msg00042.html ======================== Updated packages in core/updates_testing: ======================== libidn11-1.32-1.mga5 libidn-devel-1.32-1.mga5 idn-1.32-1.mga5 libidn11-java-1.32-1.mga5 libidn11-mono-1.32-1.mga5 from libidn-1.32-1.mga5.src.rpm
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO => (none)
Blocks: (none) => 16689
Oops, assigning to QA. Advisory and package list in Comment 2.
Assignee: bugsquad => qa-bugs
Mageia 5 i586, curl and wget work fine.
Whiteboard: (none) => has_procedure MGA5-32-OK
Hi David, I only find 32-bit. No 64-bit version. Based on your notes, I guess I'll just move to another patch to test. Let me know.
CC: (none) => brtians1
(In reply to Brian Rockwell from comment #5) > Hi David, > I only find 32-bit. No 64-bit version. For 64-bit versions, the library would be named lib64idn*, plus there should be a 64-bit idn-1.32-1.mga5.
I search on "libidn" and only come back with 1.28. Must be the mirror I'm using.
Testing complete mga5 64 wget & curl ok Validating. Advisory uploaded. Please push to 5 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure advisory mga5-64-ok MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0349.html
Status: NEW => RESOLVEDResolution: (none) => FIXED