Bug 17629 - curl new security issue CVE-2016-0755
Summary: curl new security issue CVE-2016-0755
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/673777/
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-01-27 15:26 CET by David Walser
Modified: 2016-02-05 18:27 CET (History)
4 users (show)

See Also:
Source RPM: curl-7.40.0-3.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-01-27 15:26:11 CET
Upstream has issued an advisory today (January 27):
http://curl.haxx.se/docs/adv_20160127A.html

Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated curl packages fix security vulnerabilities:

libcurl before 7.47.0 will reuse NTLM-authenticated proxy connections without
properly making sure that the connection was authenticated with the same
credentials as set for this transfer. The effect of this flaw is that the
application could be reusing a proxy connection using the previously used
credentials and thus it could be given to or prevented access from resources
that it wasn't intended to (CVE-2016-0755).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755
http://curl.haxx.se/docs/adv_20160127A.html
========================

Updated packages in core/updates_testing:
========================
curl-7.40.0-3.3.mga5
libcurl4-7.40.0-3.3.mga5
libcurl-devel-7.40.0-3.3.mga5
curl-examples-7.40.0-3.3.mga5

from curl-7.40.0-3.3.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2016-01-27 15:26:24 CET
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14468#c4

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2016-01-27 15:38:02 CET
Test 46 in the test suite failed on i586:
http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20160127141751.luigiwalser.valstar.4075/log/curl-7.40.0-3.3.mga5/build.0.20160127141805.log

Dan, is this a problem, or should I just disable that test?

CC: (none) => dan
Whiteboard: has_procedure => has_procedure feedback

Comment 3 Dan Fandrich 2016-01-27 21:03:06 CET
It's suspicious. It's not a known flaky test, and the latest autobuilds on the latest source don't have a problem with that test. I'm able to reproduce it; I'll take a look.
Comment 4 Dan Fandrich 2016-01-27 22:33:46 CET
The problem turned out to be a cookie used in test 46 that expired last year. I've added a patch and re-submitted the package.
Comment 5 David Walser 2016-01-27 22:50:33 CET
Thanks Dan!  We've run into a similar issue before, I think it might have been an expired TLS certificate in one of the tests.

Whiteboard: has_procedure feedback => has_procedure

Comment 6 David Walser 2016-01-27 22:59:45 CET
Debian has issued an advisory for this today (January 27):
https://www.debian.org/security/2016/dsa-3455

URL: (none) => http://lwn.net/Vulnerabilities/673777/

Comment 7 Len Lawrence 2016-01-29 20:55:51 CET
mga5  x86_64  Mate

Tried out bug #4307:comment #11 tests before updating.
The imap and pop3 commands hung - not quite sure what to expect anyway - .eml files?

$ curl -L http://apod.nasa.gov
$ curl -L http://www.erikveen.dds.nl/rubycodesnippets/index.html
$ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm

These all worked as expected.
And after the update they also work.

Had a look at the test suite but did not feel up to compiling it but would have a go if it is judged necessary.
Ready to OK this for 64-bits.

CC: (none) => tarazed25

Comment 8 David Walser 2016-01-29 20:57:21 CET
Yeah this one doesn't need much testing since it has an extraordinarily extensive test suite that's run at build time, so we already know it works.
Len Lawrence 2016-01-29 22:31:35 CET

Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 9 Len Lawrence 2016-01-29 22:40:41 CET
Just to rubber-stamp it ran this in a 32-bit vbox.
Executed the website and download tests after the update and all is well.
Len Lawrence 2016-01-29 22:41:10 CET

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK

Len Lawrence 2016-01-29 22:41:26 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Len Lawrence 2016-01-29 22:42:49 CET
Would some kind person from sysadmin please push this to Updates.
Dave Hodgins 2016-02-03 02:56:03 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory

Comment 11 Mageia Robot 2016-02-05 18:27:54 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0050.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.