Bug 27154 - curl new security issues CVE-2020-8231 and CVE-2020-828[4-6]
Summary: curl new security issues CVE-2020-8231 and CVE-2020-828[4-6]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-08-20 18:16 CEST by David Walser
Modified: 2020-12-31 15:34 CET (History)
4 users (show)

See Also:
Source RPM: curl-7.71.0-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-08-20 18:16:02 CEST
Upstream has issued an advisory on August 19:
https://curl.haxx.se/docs/CVE-2020-8231.html

The issue is fixed upstream in 7.72.0:
https://curl.haxx.se/changes.html

Mageia 7 is also affected.
David Walser 2020-08-20 18:16:08 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-08-21 21:11:21 CEST
Ubuntu has issued an advisory for this on August 19:
https://ubuntu.com/security/notices/USN-4466-1
Comment 2 David Walser 2020-08-21 23:43:38 CEST
Fedora has issued an advisory for this today (August 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q7JHSXTQ7EUHJPYL333CB3OBCKHA5FQC/
Comment 3 David Walser 2020-10-13 14:42:37 CEST
curl-7.72.0-1.mga8 uploaded for Cauldron by Shlomi.

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 4 David Walser 2020-12-09 22:11:57 CET
Upstream has issued advisories today (December 9):
https://curl.se/docs/CVE-2020-8284.html
https://curl.se/docs/CVE-2020-8285.html
https://curl.se/docs/CVE-2020-8286.html

The issues are fixed upstream in 7.74.0.

Whiteboard: (none) => MGA7TOO
Summary: curl new security issue CVE-2020-8231 => curl new security issues CVE-2020-8231 and CVE-2020-828[4-6]
Version: 7 => Cauldron

Comment 5 David Walser 2020-12-09 23:40:18 CET
Ubuntu has issued an advisory for this today (December 9):
https://ubuntu.com/security/notices/USN-4665-1
David Walser 2020-12-09 23:41:40 CET

Severity: normal => major

Comment 6 David Walser 2020-12-15 17:37:38 CET
Fedora has issued an advisory for the newest issues today (December 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/
David Walser 2020-12-27 20:44:52 CET

Status comment: (none) => Fixed upstream in 7.74.0
Assignee: shlomif => pkg-bugs

Comment 7 Nicolas Lécureuil 2020-12-27 21:01:59 CET
new curl pushed in cauldron.

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => mageia

Comment 8 David Walser 2020-12-27 21:18:32 CET
curl-7.74.0-1.mga8 uploaded by Nicolas.

Source RPM: curl-7.71.1-1.mga8.src.rpm => curl-7.71.0-1.mga7.src.rpm

Comment 9 Nicolas Salguero 2020-12-29 14:32:51 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. (CVE-2020-8231)

A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. (CVE-2020-8284)

curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. (CVE-2020-8285)

curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. (CVE-2020-8286)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8231
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8284
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8285
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8286
https://curl.haxx.se/docs/CVE-2020-8231.html
https://ubuntu.com/security/notices/USN-4466-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q7JHSXTQ7EUHJPYL333CB3OBCKHA5FQC/
https://curl.se/docs/CVE-2020-8284.html
https://curl.se/docs/CVE-2020-8285.html
https://curl.se/docs/CVE-2020-8286.html
https://ubuntu.com/security/notices/USN-4665-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/
========================

Updated packages in core/updates_testing:
========================
curl-7.71.0-1.1.mga7
lib(64)curl4-7.71.0-1.1.mga7
lib(64)curl-devel-7.71.0-1.1.mga7
curl-examples-7.71.0-1.1.mga7

from SRPM:
curl-7.71.0-1.1.mga7.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 7.74.0 => (none)
Assignee: pkg-bugs => qa-bugs

Comment 10 Thomas Andrews 2020-12-30 01:38:49 CET
Tested on a 64-bit Plasma system. No installation issues.

Tested using drakrpm. First made sure it was set to use curl for downloading, then added media from a specific mirror, and removed them. Downloaded and installed several games, without issues.

As far as these tests go it looks good, so I'm going to give it an OK and validate. Advisory in Comment 9.

Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 11 Aurelien Oudelet 2020-12-31 10:43:33 CET
Advisory pushed to SVN.

Keywords: (none) => advisory

Comment 12 Mageia Robot 2020-12-31 15:34:00 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0482.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.