Upstream has issued two advisories on March 31: https://curl.se/docs/CVE-2021-22876.html https://curl.se/docs/CVE-2021-22890.html The issues are fixed upstream in 7.76.0: https://curl.se/changes.html Mageia 7 and 8 are also affected.
CVE: (none) => CVE-2021-22876, CVE-2021-22890Whiteboard: (none) => MGA8TOO, MGA7TOOSource RPM: (none) => curl-7.74.0-1.mga8.src.rpm
curl 7.76.0 is now in Cauldron.
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8
Suggested advisory: ======================== The updated packages fix security vulnerabilities: libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. (CVE-2021-22876) TLS 1.3 session ticket proxy host mixup. (CVE-2021-22890) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22876 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22890 https://curl.se/changes.html ======================== Updated packages in 7/core/updates_testing: ======================== curl-7.71.0-1.2.mga7 lib(64)curl4-7.71.0-1.2.mga7 lib(64)curl-devel-7.71.0-1.2.mga7 curl-examples-7.71.0-1.2.mga7 from SRPM: curl-7.71.0-1.2.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== curl-7.74.0-1.1.mga8 lib(64)curl4-7.74.0-1.1.mga8 lib(64)curl-devel-7.74.0-1.1.mga8 curl-examples-7.74.0-1.1.mga8 from SRPM: curl-7.74.0-1.1.mga8.src.rpm
Status: NEW => ASSIGNEDAssignee: bugsquad => qa-bugs
Oops ! Suggested advisory: ======================== The updated packages fix security vulnerabilities: libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. (CVE-2021-22876) TLS 1.3 session ticket proxy host mixup. (CVE-2021-22890) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22876 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22890 https://curl.se/docs/CVE-2021-22876.html https://curl.se/docs/CVE-2021-22890.html https://curl.se/changes.html
Installed and tested without issues. Tested: - HTTP(S) 1.1, HTTP(S) 2, FTP(S), SCP, SFTP, IMAP. - HTTP GET, POST, HEAD. All that was tested worked as expected. No issues noticed. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.10.27-desktop-1.mga7 #1 SMP Wed Mar 31 00:16:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep curl.*7.71 | sort curl-7.71.0-1.2.mga7 lib64curl4-7.71.0-1.2.mga7 libcurl4-7.71.0-1.2.mga7
CC: (none) => mageiaWhiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
Tested in a VirtualBox mga8 64-bit Plasma guest. No installation issues. After installation, ensured that curl was to be used for downloading in drakrpm, then downloaded and installed several games from the math.princeton repo. No issues noted. OK for mga8. Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OKKeywords: (none) => validated_update
CC: (none) => ouaurelienKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0186.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Debian has issued an advisory for this on March 30: https://www.debian.org/security/2021/dsa-4881