Upstream has issued an advisory today (January 27): http://curl.haxx.se/docs/adv_20160127A.html Updated package uploaded for Cauldron. Patched package uploaded for Mageia 5. Advisory: ======================== Updated curl packages fix security vulnerabilities: libcurl before 7.47.0 will reuse NTLM-authenticated proxy connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. The effect of this flaw is that the application could be reusing a proxy connection using the previously used credentials and thus it could be given to or prevented access from resources that it wasn't intended to (CVE-2016-0755). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0755 http://curl.haxx.se/docs/adv_20160127A.html ======================== Updated packages in core/updates_testing: ======================== curl-7.40.0-3.3.mga5 libcurl4-7.40.0-3.3.mga5 libcurl-devel-7.40.0-3.3.mga5 curl-examples-7.40.0-3.3.mga5 from curl-7.40.0-3.3.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=14468#c4
Whiteboard: (none) => has_procedure
Test 46 in the test suite failed on i586: http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20160127141751.luigiwalser.valstar.4075/log/curl-7.40.0-3.3.mga5/build.0.20160127141805.log Dan, is this a problem, or should I just disable that test?
CC: (none) => danWhiteboard: has_procedure => has_procedure feedback
It's suspicious. It's not a known flaky test, and the latest autobuilds on the latest source don't have a problem with that test. I'm able to reproduce it; I'll take a look.
The problem turned out to be a cookie used in test 46 that expired last year. I've added a patch and re-submitted the package.
Thanks Dan! We've run into a similar issue before, I think it might have been an expired TLS certificate in one of the tests.
Whiteboard: has_procedure feedback => has_procedure
Debian has issued an advisory for this today (January 27): https://www.debian.org/security/2016/dsa-3455
URL: (none) => http://lwn.net/Vulnerabilities/673777/
mga5 x86_64 Mate Tried out bug #4307:comment #11 tests before updating. The imap and pop3 commands hung - not quite sure what to expect anyway - .eml files? $ curl -L http://apod.nasa.gov $ curl -L http://www.erikveen.dds.nl/rubycodesnippets/index.html $ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm These all worked as expected. And after the update they also work. Had a look at the test suite but did not feel up to compiling it but would have a go if it is judged necessary. Ready to OK this for 64-bits.
CC: (none) => tarazed25
Yeah this one doesn't need much testing since it has an extraordinarily extensive test suite that's run at build time, so we already know it works.
Whiteboard: has_procedure => has_procedure MGA5-64-OK
Just to rubber-stamp it ran this in a 32-bit vbox. Executed the website and download tests after the update and all is well.
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK MGA5-32-OK
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Would some kind person from sysadmin please push this to Updates.
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-64-OK MGA5-32-OK => has_procedure MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0050.html
Status: NEW => RESOLVEDResolution: (none) => FIXED