Upstream has issued an advisory on August 19:
The issue is fixed upstream in 7.72.0:
Mageia 7 is also affected.
Ubuntu has issued an advisory for this on August 19:
Fedora has issued an advisory for this today (August 21):
curl-7.72.0-1.mga8 uploaded for Cauldron by Shlomi.
Upstream has issued advisories today (December 9):
The issues are fixed upstream in 7.74.0.
curl new security issue CVE-2020-8231 =>
curl new security issues CVE-2020-8231 and CVE-2020-828[4-6]Version:
Ubuntu has issued an advisory for this today (December 9):
Fedora has issued an advisory for the newest issues today (December 15):
Fixed upstream in 7.74.0Assignee:
new curl pushed in cauldron.
curl-7.74.0-1.mga8 uploaded by Nicolas.
The updated packages fix security vulnerabilities:
Due to use of a dangling pointer, libcurl 7.29.0 through 7.71.1 can use the wrong connection when sending data. (CVE-2020-8231)
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. (CVE-2020-8284)
curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. (CVE-2020-8285)
curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. (CVE-2020-8286)
Updated packages in core/updates_testing:
Fixed upstream in 7.74.0 =>
Tested on a 64-bit Plasma system. No installation issues.
Tested using drakrpm. First made sure it was set to use curl for downloading, then added media from a specific mirror, and removed them. Downloaded and installed several games, without issues.
As far as these tests go it looks good, so I'm going to give it an OK and validate. Advisory in Comment 9.
Advisory pushed to SVN.
An update for this issue has been pushed to the Mageia Updates repository.