Upstream has issued an advisory on October 4: https://curl.haxx.se/docs/adv_20171004.html The issue is fixed upstream in 7.56.0 and a patch is available. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOOBlocks: (none) => 19700
Assigning to the registered curl maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
Debian has issued an advisory for this on October 6: https://www.debian.org/security/2017/dsa-3992
Upstream has issued an advisory today (October 23): https://curl.haxx.se/docs/adv_20171023.html The issue is fixed upstream in 7.56.1 and a patch is available.
Source RPM: curl-7.55.1-2.mga7.src.rpm => curl-7.56.0-2.mga7.src.rpmSummary: curl new security issue CVE-2017-1000254 => curl new security issues CVE-2017-1000254 and CVE-2017-1000257
(In reply to David Walser from comment #3) > Upstream has issued an advisory today (October 23): > https://curl.haxx.se/docs/adv_20171023.html > > The issue is fixed upstream in 7.56.1 and a patch is available. Ubuntu has issued an advisory for this today (October 23): https://usn.ubuntu.com/usn/usn-3457-1/
Upstream has issued advisories on November 29: https://curl.haxx.se/docs/adv_2017-12e7.html https://curl.haxx.se/docs/adv_2017-ae72.html The issues are fixed upstream in 7.57.0 and patches are available. Mageia 5 and Mageia 6 are also affected. Debian has issued an advisory for this on November 29: https://www.debian.org/security/2017/dsa-4051
Summary: curl new security issues CVE-2017-1000254 and CVE-2017-1000257 => curl new security issues CVE-2017-1000254, CVE-2017-1000257, CVE-2017-8816, CVE-2017-8817
curl updated to 7.57.0 in Cauldron on December 1 by me.
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
Advisory: ======================== Updated curl packages fix security vulnerabilities: libcurl contains a buffer overrun flaw in the NTLM authentication code (CVE-2017-8816). libcurl contains a read out of bounds flaw in the FTP wildcard function (CVE-2017-8817). libcurl may read outside of a heap allocated buffer when doing FTP (CVE-2017-1000254). libcurl contains a buffer overrun flaw in the IMAP handler (CVE-2017-1000257). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257 https://curl.haxx.se/docs/adv_20171004.html https://curl.haxx.se/docs/adv_20171023.html https://curl.haxx.se/docs/adv_2017-12e7.html https://curl.haxx.se/docs/adv_2017-ae72.html ======================== Updated packages in core/updates_testing: ======================== curl-7.54.1-2.4.mga6 lib64curl4-7.54.1-2.4.mga6 lib64curl-devel-7.54.1-2.4.mga6 curl-examples-7.54.1-2.4.mga6 from curl-7.54.1-2.4.mga6.src.rpm
Assignee: shlomif => qa-bugsWhiteboard: MGA5TOO => (none)
Ok on m6 i586 and x86_64. Advisory commited to svn. Validating the update.
Whiteboard: (none) => MGA6-64-OK MGA6-32-OKKeywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0054.html
Status: NEW => RESOLVEDResolution: (none) => FIXED