Upstream has released cURL 7.62.0 today (October 31): https://curl.haxx.se/changes.html#7_62_0 It fixes three security issues: https://curl.haxx.se/docs/CVE-2018-16839.html https://curl.haxx.se/docs/CVE-2018-16840.html https://curl.haxx.se/docs/CVE-2018-16842.html Mageia 6 is also affected by the first and third issues. Patches are linked from the upstream advisories.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Debian has issued an advisory for this on November 2: https://www.debian.org/security/2018/dsa-4331
Shlomi updated to 7.62.0 in Cauldron.
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6
Fedora says wget's CVE-2018-20483 also affects curl: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AMBI4JRD6CXI7BO7EF3SHBEPARNL4ZBQ/
cURL 7.64.0 has been released on February 6, fixing more security issues: https://curl.haxx.se/changes.html#7_64_0 https://curl.haxx.se/docs/CVE-2018-16890.html https://curl.haxx.se/docs/CVE-2019-3822.html https://curl.haxx.se/docs/CVE-2019-3823.html Shlomi updated it in Cauldron.
Summary: curl new security issues CVE-2018-16839 and CVE-2018-1684[02] => curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23]
Debian has issued an advisory for this on February 6: https://www.debian.org/security/2019/dsa-4386
cURL 7.65.0 has been released today (May 22), fixing two security issues: https://curl.haxx.se/changes.html#7_65_0 https://curl.haxx.se/docs/CVE-2019-5435.html https://curl.haxx.se/docs/CVE-2019-5436.html CVE-2019-5435 only affects Cauldron, CVE-2019-5436 also affects Mageia 6.
Summary: curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23] => curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-5436
Shlomi built 7.65.0 in updates_testing but it never got moved to release.
Version: 6 => CauldronWhiteboard: (none) => MGA7TOO, MGA6TOO
Ubuntu advisory for the most recent CVEs, from May 22: https://usn.ubuntu.com/3993-1/
cURL 7.66.0 has been released today (September 11), fixing two security issues: https://curl.haxx.se/changes.html#7_66_0 https://curl.haxx.se/docs/CVE-2019-5481.html https://curl.haxx.se/docs/CVE-2019-5482.html Mageia 6 and Mageia 7 are also affected.
Summary: curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-5436 => curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-5436, CVE-2019-548[12]
RedHat has issued an advisory for some of these issues on November 5: https://access.redhat.com/errata/RHSA-2019:3701
Assignee: shlomif => pkg-bugsCC: (none) => shlomif
CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23] already fixed in Mageia 7.
CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1. (CVE-2019-5435) A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. (CVE-2019-5436) Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3. (CVE-2019-5481) Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482 https://curl.haxx.se/changes.html#7_65_0 https://curl.haxx.se/docs/CVE-2019-5435.html https://curl.haxx.se/docs/CVE-2019-5436.html https://curl.haxx.se/changes.html#7_66_0 https://curl.haxx.se/docs/CVE-2019-5481.html https://curl.haxx.se/docs/CVE-2019-5482.html https://usn.ubuntu.com/3993-1/ ======================== Updated packages in core/updates_testing: ======================== curl-7.66.0-1.mga7 lib(64)curl4-7.66.0-1.mga7 lib(64)curl-devel-7.66.0-1.mga7 curl-examples-7.66.0-1.mga7 from SRPMS: curl-7.66.0-1.mga7.src.rpm
Whiteboard: MGA7TOO, MGA6TOO => (none)Version: Cauldron => 7Status: NEW => ASSIGNEDSource RPM: curl-7.54.1-2.7.mga6.src.rpm => curl-7.64.1-1.mga7.src.rpmAssignee: pkg-bugs => qa-bugsSummary: curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-5436, CVE-2019-548[12] => curl new security issues CVE-2018-16839, CVE-2018-1684[02], CVE-2018-16890, CVE-2019-382[23], CVE-2019-543[56], CVE-2019-548[12]CVE: (none) => CVE-2019-543[56], CVE-2019-548[12]
MGA7-64 Plasma on Lenovo B50 No installation issues. Found https://www.keycdn.com/support/popular-curl-examples with a series of examples: $ curl https://www.keycdn.com <!DOCTYPE html> <html lang="en" prefix="og: http://ogp.me/ns#"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="version" content="81d039956b90644e963c12544cddac4339380779"> <title>KeyCDN - Content delivery made easy</title> and a lot more $ curl -I https://www.keycdn.com/ HTTP/2 200 server: keycdn-engine date: Mon, 18 Nov 2019 14:08:14 GMT content-type: text/html vary: Accept-Encoding last-modified: Fri, 15 Nov 2019 23:51:32 GMT etag: W/"5dcf3a04-13f5f" expires: Mon, 25 Nov 2019 14:08:14 GMT cache-control: max-age=604800 strict-transport-security: max-age=31536000; includeSubdomains; preload content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer-when-downgrade x-cache: HIT x-edge-location: nlam access-control-allow-origin: * The next commands in the site do not work anymore as the address cdn.keydn.com does not exist anymore. Trying $ curl -o myfile.css https://www.keycdn.com/css/animate.min.css results in a decent looking html file created, but it contents is "Error 404" as the site is changed since then. The same goes for $ curl -O https://cdn.keycdn.com/css/animate.min.css example 5 I couldn't figure out what was added in the loooooong output. $ curl -D - https://www.keycdn.com/ -o /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0HTTP/2 200 server: keycdn-engine date: Mon, 18 Nov 2019 14:52:34 GMT content-type: text/html vary: Accept-Encoding last-modified: Fri, 15 Nov 2019 23:51:32 GMT etag: W/"5dcf3a04-13f5f" expires: Mon, 25 Nov 2019 14:52:34 GMT cache-control: max-age=604800 strict-transport-security: max-age=31536000; includeSubdomains; preload content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer-when-downgrade x-cache: HIT x-edge-location: nlam access-control-allow-origin: * 100 81759 0 81759 0 0 654k 0 --:--:-- --:--:-- --:--:-- 659k From https://curl.haxx.se/docs/httpscripting.html I try $ curl --trace-ascii d.txt --trace-time http://www.keycdn.com The rsulting file contains a long list with time stamps. and $ curl --user me:mypasswd ftp://<mydesktop>/ list me the contents of the home directory. Seems all well enough.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
There's no need to test curl itself as it has an extensive build-time test suite, but we do need to check something that uses libcurl to make sure updating curl didn't break it (as it has sometimes in the past).
(In reply to David Walser from comment #15) > There's no need to test curl itself as it has an extensive build-time test > suite, but we do need to check something that uses libcurl to make sure > updating curl didn't break it (as it has sometimes in the past). "urpmq --whatrequires lib64curl4" contains "psensor" on the long list that results. It just so happens that I installed Psensor on my laptop months ago after installing an ssd. I checked Psensor before updating anything, and everything was working as it should as far as I can tell. After shutting Psensor down and using the QA Repo tool to update curl and lib64curl4, I checked again. Nothing was broken that I could see. Validating. Advisory in Comment 13.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0337.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED