Bug 21819 - curl new security issues CVE-2017-1000254, CVE-2017-1000257, CVE-2017-8816, CVE-2017-8817
Summary: curl new security issues CVE-2017-1000254, CVE-2017-1000257, CVE-2017-8816, C...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 19700
  Show dependency treegraph
 
Reported: 2017-10-07 17:47 CEST by David Walser
Modified: 2018-01-03 17:41 CET (History)
3 users (show)

See Also:
Source RPM: curl-7.56.0-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-10-07 17:47:10 CEST
Upstream has issued an advisory on October 4:
https://curl.haxx.se/docs/adv_20171004.html

The issue is fixed upstream in 7.56.0 and a patch is available.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-10-07 17:48:08 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO
Blocks: (none) => 19700

Comment 1 Marja Van Waes 2017-10-08 20:48:29 CEST
Assigning to the registered curl maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 David Walser 2017-10-10 00:28:07 CEST
Debian has issued an advisory for this on October 6:
https://www.debian.org/security/2017/dsa-3992
Comment 3 David Walser 2017-10-23 12:01:13 CEST
Upstream has issued an advisory today (October 23):
https://curl.haxx.se/docs/adv_20171023.html

The issue is fixed upstream in 7.56.1 and a patch is available.

Source RPM: curl-7.55.1-2.mga7.src.rpm => curl-7.56.0-2.mga7.src.rpm
Summary: curl new security issue CVE-2017-1000254 => curl new security issues CVE-2017-1000254 and CVE-2017-1000257

Comment 4 David Walser 2017-10-23 16:19:11 CEST
(In reply to David Walser from comment #3)
> Upstream has issued an advisory today (October 23):
> https://curl.haxx.se/docs/adv_20171023.html
> 
> The issue is fixed upstream in 7.56.1 and a patch is available.

Ubuntu has issued an advisory for this today (October 23):
https://usn.ubuntu.com/usn/usn-3457-1/
Comment 5 David Walser 2017-11-30 21:16:44 CET
Upstream has issued advisories on November 29:
https://curl.haxx.se/docs/adv_2017-12e7.html
https://curl.haxx.se/docs/adv_2017-ae72.html

The issues are fixed upstream in 7.57.0 and patches are available.

Mageia 5 and Mageia 6 are also affected.

Debian has issued an advisory for this on November 29:
https://www.debian.org/security/2017/dsa-4051

Summary: curl new security issues CVE-2017-1000254 and CVE-2017-1000257 => curl new security issues CVE-2017-1000254, CVE-2017-1000257, CVE-2017-8816, CVE-2017-8817

Comment 6 David Walser 2017-12-27 18:42:17 CET
curl updated to 7.57.0 in Cauldron on December 1 by me.

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Comment 7 David Walser 2017-12-27 22:04:51 CET
Advisory:
========================

Updated curl packages fix security vulnerabilities:

libcurl contains a buffer overrun flaw in the NTLM authentication code
(CVE-2017-8816).

libcurl contains a read out of bounds flaw in the FTP wildcard function
(CVE-2017-8817).

libcurl may read outside of a heap allocated buffer when doing FTP
(CVE-2017-1000254).

libcurl contains a buffer overrun flaw in the IMAP handler
(CVE-2017-1000257).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8816
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8817
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000254
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000257
https://curl.haxx.se/docs/adv_20171004.html
https://curl.haxx.se/docs/adv_20171023.html
https://curl.haxx.se/docs/adv_2017-12e7.html
https://curl.haxx.se/docs/adv_2017-ae72.html
========================

Updated packages in core/updates_testing:
========================
curl-7.54.1-2.4.mga6
lib64curl4-7.54.1-2.4.mga6
lib64curl-devel-7.54.1-2.4.mga6
curl-examples-7.54.1-2.4.mga6

from curl-7.54.1-2.4.mga6.src.rpm

Assignee: shlomif => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 8 Dave Hodgins 2018-01-03 16:27:00 CET
Ok on m6 i586 and x86_64.
Advisory commited to svn.
Validating the update.

Whiteboard: (none) => MGA6-64-OK MGA6-32-OK
Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 Mageia Robot 2018-01-03 17:41:09 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0054.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.