Upstream has issued advisories today (January 24): https://curl.haxx.se/docs/adv_2018-824a.html https://curl.haxx.se/docs/adv_2018-b3bf.html The issues are fixed in 7.58.0 (uploaded for Cauldron) and patches are available. Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
(In reply to Marja van Waes from comment #1) > Assigning to the registered maintainer. updated submitted to 6 core/updates_testing with %subrel 5.
Blocks: (none) => 22457
Thanks. Mageia 5 moved to Bug 22457 and can be dealt with later. Advisory: ======================== Updated curl packages fix security vulnerabilities: It was reported that reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required. When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback. This might lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something (CVE-2018-1000005). When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom Authorization: headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request (CVE-2018-1000008). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000005 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000008 https://curl.haxx.se/docs/adv_2018-824a.html https://curl.haxx.se/docs/adv_2018-b3bf.html ======================== Updated packages in core/updates_testing: ======================== curl-7.54.1-2.5.mga6 libcurl4-7.54.1-2.5.mga6 libcurl-devel-7.54.1-2.5.mga6 curl-examples-7.54.1-2.5.mga6 from curl-7.54.1-2.5.mga6.src.rpm
Whiteboard: MGA5TOO => (none)CC: (none) => shlomifAssignee: shlomif => qa-bugsComponent: RPM Packages => SecurityQA Contact: (none) => security
Installed and tested without issues. Tested curl CLI. Tested HTTP/1.1, HTTP/2, FTP and SSH/SFTP protocols. Tested with tor's SOCKS5 proxy and ssh tunnel. Tested PHP's curl support. Tested Python's curl support. Anyone knows a way to test the specific vulnerabilities? System: Mageia 6, x86_64, Intel CPU. $ uname -a Linux marte 4.14.15-desktop-2.mga6 #1 SMP Wed Jan 24 23:42:14 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep curl | sort curl-7.54.1-2.5.mga6 lib64curl4-7.54.1-2.5.mga6 libcurl4-7.54.1-2.4.mga6 php-curl-5.6.33-1.mga6 python3-curl-7.43.0-2.mga6
CC: (none) => mageia
Debian has issued an advisory for this on January 26: https://www.debian.org/security/2018/dsa-4098
@PC LX Thanks for your very comprehensive testing of this update. I am adding the 64-bit OK on your behalf. You obviously know what you are doing, so it would be very helpful for other testers unversed in these matters if you could find the time to document your procedures, in simple terms if possible. Looking at the links provided in the advisory it does not look as if any POCs are available.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Advisory committed to svn. Validating the update.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0110.html
Status: NEW => RESOLVEDResolution: (none) => FIXED