Bug 28688 - curl new security issues CVE-2021-22876 and CVE-2021-22890
Summary: curl new security issues CVE-2021-22876 and CVE-2021-22890
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-03-31 08:56 CEST by Nicolas Salguero
Modified: 2021-04-12 22:02 CEST (History)
4 users (show)

See Also:
Source RPM: curl-7.74.0-1.mga8.src.rpm
CVE: CVE-2021-22876, CVE-2021-22890
Status comment:


Attachments

Description Nicolas Salguero 2021-03-31 08:56:46 CEST
Upstream has issued two advisories on March 31:
https://curl.se/docs/CVE-2021-22876.html
https://curl.se/docs/CVE-2021-22890.html

The issues are fixed upstream in 7.76.0:
https://curl.se/changes.html

Mageia 7 and 8 are also affected.
Nicolas Salguero 2021-03-31 08:58:17 CEST

CVE: (none) => CVE-2021-22876, CVE-2021-22890
Whiteboard: (none) => MGA8TOO, MGA7TOO
Source RPM: (none) => curl-7.74.0-1.mga8.src.rpm

Comment 1 Nicolas Salguero 2021-03-31 16:37:49 CEST
curl 7.76.0 is now in Cauldron.

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8

Comment 2 Nicolas Salguero 2021-04-01 11:45:37 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. (CVE-2021-22876)

TLS 1.3 session ticket proxy host mixup. (CVE-2021-22890)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22876
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22890
https://curl.se/changes.html
========================

Updated packages in 7/core/updates_testing:
========================
curl-7.71.0-1.2.mga7
lib(64)curl4-7.71.0-1.2.mga7
lib(64)curl-devel-7.71.0-1.2.mga7
curl-examples-7.71.0-1.2.mga7

from SRPM:
curl-7.71.0-1.2.mga7.src.rpm

Updated packages in 8/core/updates_testing:
========================
curl-7.74.0-1.1.mga8
lib(64)curl4-7.74.0-1.1.mga8
lib(64)curl-devel-7.74.0-1.1.mga8
curl-examples-7.74.0-1.1.mga8

from SRPM:
curl-7.74.0-1.1.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

Comment 3 Nicolas Salguero 2021-04-01 11:46:28 CEST
Oops !

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. (CVE-2021-22876)

TLS 1.3 session ticket proxy host mixup. (CVE-2021-22890)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22876
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22890
https://curl.se/docs/CVE-2021-22876.html
https://curl.se/docs/CVE-2021-22890.html
https://curl.se/changes.html
Comment 4 PC LX 2021-04-01 23:55:08 CEST
Installed and tested without issues.

Tested:
- HTTP(S) 1.1, HTTP(S) 2, FTP(S), SCP, SFTP, IMAP.
- HTTP GET, POST, HEAD.

All that was tested worked as expected. No issues noticed.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.10.27-desktop-1.mga7 #1 SMP Wed Mar 31 00:16:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep curl.*7.71 | sort
curl-7.71.0-1.2.mga7
lib64curl4-7.71.0-1.2.mga7
libcurl4-7.71.0-1.2.mga7

CC: (none) => mageia
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 5 Thomas Andrews 2021-04-07 02:38:13 CEST
Tested in a VirtualBox mga8 64-bit Plasma guest.

No installation issues. After installation, ensured that curl was to be used for downloading in drakrpm, then downloaded and installed several games from the math.princeton repo. No issues noted.

OK for mga8. Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: (none) => validated_update

Aurelien Oudelet 2021-04-12 16:33:39 CEST

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 6 Mageia Robot 2021-04-12 22:02:39 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0186.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.