Upstream has released version 7.50.1 today (August 3): https://curl.haxx.se/changes.html It fixes three security issues and other bugs. Freeze push requested for Cauldron. We'll need to add the patches for Mageia 5.
Done for mga5 adding the three upstream patches.
CC: (none) => geiger.david68210
Thanks David! Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=14468#c4 Advisory: ======================== Updated curl packages fix security vulnerabilities: libcurl before 7.50.1 would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate) (CVE-2016-5419). In libcurl before 7.50.1, when using a client certificate for a connection that was then put into the connection pool, that connection could then wrongly get reused in a subsequent request to that same server. This mistakenly using the wrong connection could lead to applications sending requests to the wrong realms of the server using authentication that it wasn't supposed to have for those operations (CVE-2016-5420). libcurl before 7.50.1 is vulnerable to a use-after-free flaw in curl_easy_perform() (CVE-2016-5421). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5419 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5420 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5421 https://curl.haxx.se/docs/adv_20160803A.html https://curl.haxx.se/docs/adv_20160803B.html https://curl.haxx.se/docs/adv_20160803C.html ======================== Updated packages in core/updates_testing: ======================== curl-7.40.0-3.4.mga5 libcurl4-7.40.0-3.4.mga5 libcurl-devel-7.40.0-3.4.mga5 curl-examples-7.40.0-3.4.mga5 from curl-7.40.0-3.4.mga5.src.rpm
Assignee: bugsquad => qa-bugs
Debian has issued an advisory for this on August 3: https://www.debian.org/security/2016/dsa-3638
URL: (none) => http://lwn.net/Vulnerabilities/696214/
MGA5-32 on Acer D620 Xfce No installation issues Tested with procedure as per Comment above At CLI: curl -L https://<my-own-webserver> returns source $ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/ returns long list of rpm's $ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 365k 100 365k 0 0 277k 0 0:00:01 0:00:01 --:--:-- 278k
CC: (none) => herman.viaene
Whiteboard: (none) => has_procedure MGA5-32-OK
MGA5-64 No installation issues Tested with procedure as per Comment above At CLI: curl -L https://<my-own-webserver> returns source $ curl -l ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/ returns long list of rpm's $ curl -o qarte.rpm ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/4/i586/media/core/updates/qarte-2.2.0-1.mga4.noarch.rpm % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 365k 100 365k 0 0 277k 0 0:00:01 0:00:01 --:--:-- 278k
CC: (none) => makowski.mageiaWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisoryCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0285.html
Status: NEW => RESOLVEDResolution: (none) => FIXED