Bug 19123 - curl new security issues CVE-2016-5419, CVE-2016-5420, and CVE-2016-5421
Summary: curl new security issues CVE-2016-5419, CVE-2016-5420, and CVE-2016-5421
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/696214/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-08-03 18:47 CEST by David Walser
Modified: 2016-08-31 17:33 CEST (History)
5 users (show)

See Also:
Source RPM: curl-7.40.0-3.3.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-08-03 18:47:57 CEST
Upstream has released version 7.50.1 today (August 3):
https://curl.haxx.se/changes.html

It fixes three security issues and other bugs.

Freeze push requested for Cauldron.  We'll need to add the patches for Mageia 5.
Comment 1 David GEIGER 2016-08-03 20:02:46 CEST
Done for mga5 adding the three upstream patches.

CC: (none) => geiger.david68210

Comment 2 David Walser 2016-08-03 20:23:06 CEST
Thanks David!

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=14468#c4

Advisory:
========================

Updated curl packages fix security vulnerabilities:

libcurl before 7.50.1 would attempt to resume a TLS session even if the client
certificate had changed. That is unacceptable since a server by specification
is allowed to skip the client certificate check on resume, and may instead use
the old identity which was established by the previous certificate (or no
certificate) (CVE-2016-5419).

In libcurl before 7.50.1, when using a client certificate for a connection that
was then put into the connection pool, that connection could then wrongly get
reused in a subsequent request to that same server. This mistakenly using the
wrong connection could lead to applications sending requests to the wrong
realms of the server using authentication that it wasn't supposed to have for
those operations (CVE-2016-5420).

libcurl before 7.50.1 is vulnerable to a use-after-free flaw in
curl_easy_perform() (CVE-2016-5421).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5421
https://curl.haxx.se/docs/adv_20160803A.html
https://curl.haxx.se/docs/adv_20160803B.html
https://curl.haxx.se/docs/adv_20160803C.html
========================

Updated packages in core/updates_testing:
========================
curl-7.40.0-3.4.mga5
libcurl4-7.40.0-3.4.mga5
libcurl-devel-7.40.0-3.4.mga5
curl-examples-7.40.0-3.4.mga5

from curl-7.40.0-3.4.mga5.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2016-08-08 22:00:50 CEST
Debian has issued an advisory for this on August 3:
https://www.debian.org/security/2016/dsa-3638

URL: (none) => http://lwn.net/Vulnerabilities/696214/

Comment 4 Herman Viaene 2016-08-12 11:44:26 CEST
MGA5-32 on Acer D620 Xfce
No installation issues
Tested  with procedure as per Comment  above
At CLI:
curl -L https://<my-own-webserver>
returns source
$ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/
returns long list of rpm's
$ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  365k  100  365k    0     0   277k      0  0:00:01  0:00:01 --:--:--  278k

CC: (none) => herman.viaene

Herman Viaene 2016-08-12 11:44:43 CEST

Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 5 Philippe Makowski 2016-08-16 22:09:55 CEST
MGA5-64 
No installation issues
Tested  with procedure as per Comment  above
At CLI:
curl -L https://<my-own-webserver>
returns source
$ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/
returns long list of rpm's
$ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  365k  100  365k    0     0   277k      0  0:00:01  0:00:01 --:--:--  278k

CC: (none) => makowski.mageia
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK

Dave Hodgins 2016-08-18 23:54:47 CEST

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2016-08-31 17:33:41 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0285.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.