Upstream has issued advisories today (January 24):
The issues are fixed in 7.58.0 (uploaded for Cauldron) and patches are available.
Mageia 5 is also affected.
Assigning to the registered maintainer.
(In reply to Marja van Waes from comment #1)
> Assigning to the registered maintainer.
updated submitted to 6 core/updates_testing with %subrel 5.
Thanks. Mageia 5 moved to Bug 22457 and can be dealt with later.
Updated curl packages fix security vulnerabilities:
It was reported that reading an HTTP/2 trailer could mess up future trailers
since the stored size was one byte less than required. When accessed, the data
is read out of bounds and causes either a crash or that the (too large) data
gets passed to the libcurl callback. This might lead to a denial-of-service
situation or an information disclosure if someone has a service that echoes
back or uses the trailers for something (CVE-2018-1000005).
When asked to send custom headers in its HTTP requests, libcurl will send that
set of headers first to the host in the initial URL but also, if asked to
follow redirects and a 30X HTTP response code is returned, to the host
mentioned in URL in the Location: response header value. Sending the same set
of headers to subsequest hosts is in particular a problem for applications
that pass on custom Authorization: headers, as this header often contains
privacy sensitive information or data that could allow others to impersonate
the libcurl-using client's request (CVE-2018-1000008).
Updated packages in core/updates_testing:
RPM Packages =>
Installed and tested without issues.
Tested curl CLI.
Tested HTTP/1.1, HTTP/2, FTP and SSH/SFTP protocols.
Tested with tor's SOCKS5 proxy and ssh tunnel.
Tested PHP's curl support.
Tested Python's curl support.
Anyone knows a way to test the specific vulnerabilities?
System: Mageia 6, x86_64, Intel CPU.
$ uname -a
Linux marte 4.14.15-desktop-2.mga6 #1 SMP Wed Jan 24 23:42:14 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep curl | sort
Debian has issued an advisory for this on January 26:
Thanks for your very comprehensive testing of this update. I am adding the 64-bit OK on your behalf.
You obviously know what you are doing, so it would be very helpful for other testers unversed in these matters if you could find the time to document your procedures, in simple terms if possible.
Looking at the links provided in the advisory it does not look as if any POCs are available.
Advisory committed to svn. Validating the update.
An update for this issue has been pushed to the Mageia Updates repository.