Upstream has issued an advisory on August 19: https://curl.haxx.se/docs/CVE-2020-8231.html The issue is fixed upstream in 7.72.0: https://curl.haxx.se/changes.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Ubuntu has issued an advisory for this on August 19: https://ubuntu.com/security/notices/USN-4466-1
Fedora has issued an advisory for this today (August 21): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q7JHSXTQ7EUHJPYL333CB3OBCKHA5FQC/
curl-7.72.0-1.mga8 uploaded for Cauldron by Shlomi.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Upstream has issued advisories today (December 9): https://curl.se/docs/CVE-2020-8284.html https://curl.se/docs/CVE-2020-8285.html https://curl.se/docs/CVE-2020-8286.html The issues are fixed upstream in 7.74.0.
Whiteboard: (none) => MGA7TOOSummary: curl new security issue CVE-2020-8231 => curl new security issues CVE-2020-8231 and CVE-2020-828[4-6]Version: 7 => Cauldron
Ubuntu has issued an advisory for this today (December 9): https://ubuntu.com/security/notices/USN-4665-1
Severity: normal => major
Fedora has issued an advisory for the newest issues today (December 15): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/
Status comment: (none) => Fixed upstream in 7.74.0Assignee: shlomif => pkg-bugs
new curl pushed in cauldron.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7CC: (none) => mageia
curl-7.74.0-1.mga8 uploaded by Nicolas.
Source RPM: curl-7.71.1-1.mga8.src.rpm => curl-7.71.0-1.mga7.src.rpm
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. (CVE-2020-8231) A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. (CVE-2020-8284) curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. (CVE-2020-8285) curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. (CVE-2020-8286) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8231 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8284 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8285 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8286 https://curl.haxx.se/docs/CVE-2020-8231.html https://ubuntu.com/security/notices/USN-4466-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/Q7JHSXTQ7EUHJPYL333CB3OBCKHA5FQC/ https://curl.se/docs/CVE-2020-8284.html https://curl.se/docs/CVE-2020-8285.html https://curl.se/docs/CVE-2020-8286.html https://ubuntu.com/security/notices/USN-4665-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NZUVSQHN2ESHMJXNQ2Z7T2EELBB5HJXG/ ======================== Updated packages in core/updates_testing: ======================== curl-7.71.0-1.1.mga7 lib(64)curl4-7.71.0-1.1.mga7 lib(64)curl-devel-7.71.0-1.1.mga7 curl-examples-7.71.0-1.1.mga7 from SRPM: curl-7.71.0-1.1.mga7.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 7.74.0 => (none)Assignee: pkg-bugs => qa-bugs
Tested on a 64-bit Plasma system. No installation issues. Tested using drakrpm. First made sure it was set to use curl for downloading, then added media from a specific mirror, and removed them. Downloaded and installed several games, without issues. As far as these tests go it looks good, so I'm going to give it an OK and validate. Advisory in Comment 9.
Whiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Advisory pushed to SVN.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0482.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED