cURL has issued advisories today (June 24): https://curl.haxx.se/docs/CVE-2020-8169.html https://curl.haxx.se/docs/CVE-2020-8177.html The issues are fixed upsteram in 7.71.0: https://curl.haxx.se/changes.html
Advisory: ======================== Updated curl packages fix security vulnerabilities: libcurl can be tricked to prepend a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s) (CVE-2020-8169). curl can be tricked by a malicious server to overwrite a local file when using -J (--remote-header-name) and -i (--include) in the same command line (CVE-2020-8177). The curl package has been updated to version 7.71.0, fixing these issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8169 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8177 https://curl.haxx.se/docs/CVE-2020-8169.html https://curl.haxx.se/docs/CVE-2020-8177.html https://curl.haxx.se/changes.html ======================== Updated packages in core/updates_testing: ======================== curl-7.71.0-1.mga7 libcurl4-7.71.0-1.mga7 libcurl-devel-7.71.0-1.mga7 curl-examples-7.71.0-1.mga7 from curl-7.71.0-1.mga7.src.rpm
CC: (none) => shlomifAssignee: shlomif => qa-bugs
mga7, x86_64 Looked at the links given without finding any useful reproducers so went straight for the updates. Tried the simplest possible commands to test this. One would need a list of target sites to test all of the options in any meaningful way. $ curl --output shadow.jpg https://apod.nasa.gov/apod/image/2006/EuropaJupiter_Voyager_2792.jpg % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 766k 100 766k 0 0 268k 0 0:00:02 0:00:02 --:--:-- 268k Viewed shadow.jpg with eom. Retrieved decoded METAR data for three airports: $ curl ftp://tgftp.nws.noaa.gov/data/observations/metar/decoded/{EGPH,LFBL,KSAN}.TXT Edinburgh Airport, United Kingdom (EGPH) 55-57N 003-21W 0M Jun 28, 2020 - 11:50 AM EDT / 2020.06.28 1550 UTC Wind: from the WSW (240 degrees) at 16 MPH (14 KT):0 [...] Limoges, France (LFBL) 45-52N 001-11E 402M Jun 28, 2020 - 12:00 PM EDT / 2020.06.28 1600 UTC Wind: from the W (260 degrees) at 6 MPH (5 KT) (direction variable):0 Visibility: greater than 7 mile(s):0 Sky conditions: overcast [...] SAN DIEGO INTERNATIONAL \LINDBERGH FLD, CA, United States (KSAN) 32-44N 117-11W 12M Jun 28, 2020 - 11:51 AM EDT / 2020.06.28 1551 UTC Wind: from the SSW (200 degrees) at 8 MPH (7 KT):0 Visibility: 10 mile(s):0 .... Giving this an OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Make sure you test something using libcurl since it was upgraded.
@David. Thanks for the reminder - asleep on the job again :-( Quite a long list - counted 223 packages including apache cargo clamav enigma feh kodi mediatomb uget weechat $ strace -o trace cargo run hello_world Compiling hello_world v0.1.0 (/home/lcl/dev/rust/projects/hello_world) Finished dev [unoptimized + debuginfo] target(s) in 0.23s Running `target/debug/hello_world hello_world` Hello World I'm a Rustacean! $ grep curl trace openat(AT_FDCWD, "/lib64/libcurl.so.4", O_RDONLY|O_CLOEXEC) = 3 read(3, " /usr/lib64/libcurl.so.4"..., 1024) = 1024 That is not a satisfactory test though because there were probably no internet transactions. $ strace -o trace.sqtoy cargo build Updating crates.io index Compiling libc v0.2.71 Compiling rand_core v0.4.2 ..... Compiling gfx v0.16.3 Compiling gfx_window_glutin v0.16.0 Compiling sqtoy v0.1.0 (/home/lcl/dev/rust/sqtoy) Compilation looked successful although the build failed on a source code error. $ grep curl trace.sqtoy openat(AT_FDCWD, "/lib64/libcurl.so.4", O_RDONLY|O_CLOEXEC) = 3 read(3, " /usr/lib64/libcurl.so.4"..., 1024) = 1024 Not happy about this either because it is not clear if the modules were already "in house" or downloaded as needed. Tried weechat - new to me - but could not figure out what was needed to join #mageia-qa - got as far as freenod. $ grep curl trace.weechat openat(AT_FDCWD, "/lib64/libcurl.so.4", O_RDONLY|O_CLOEXEC) = 3 No reads there. Installed feh and: $ strace -o trace.feh feh https://apod.nasa.gov/apod/image/2006/SkyReflections_Godward_2000.jpg That displayed the APOD immediately. $ grep curl trace.feh openat(AT_FDCWD, "/lib64/libcurl.so.4", O_RDONLY|O_CLOEXEC) = 3 Going to take that as a good result.
Validating. Advisory in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => mageia
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0282.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Debian has issued an advisory for this on March 30: https://www.debian.org/security/2021/dsa-4881