cURL has issued advisories today (May 26): https://curl.se/docs/CVE-2021-22898.html https://curl.se/docs/CVE-2021-22901.html CVE-2021-22901 only affects Cauldron. CVE-2021-22898 also affects Mageia 7 and Mageia 8. A simple patch for that issue is linked from the advisory. The issues are also fixed upstream in 7.77.0: https://curl.se/changes.html#7_77_0
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Patches available from upstream
Suggested advisory: ======================== The updated packages fix a security vulnerability: TELNET stack contents disclosure. (CVE-2021-22898) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22898 https://curl.se/docs/CVE-2021-22898.html ======================== Updated packages in 7/core/updates_testing: ======================== curl-7.71.0-1.3.mga7 lib(64)curl4-7.71.0-1.3.mga7 lib(64)curl-devel-7.71.0-1.3.mga7 curl-examples-7.71.0-1.3.mga7 from SRPM: curl-7.71.0-1.3.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== curl-7.74.0-1.2.mga8 lib(64)curl4-7.74.0-1.2.mga8 lib(64)curl-devel-7.74.0-1.2.mga8 curl-examples-7.74.0-1.2.mga8 from SRPM: curl-7.74.0-1.2.mga8.src.rpm
Source RPM: curl-7.74.0-1.mga8.src.rpm => curl-7.74.0-1.1.mga8.src.rpmWhiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8Assignee: bugsquad => qa-bugsCC: (none) => nicolas.salgueroStatus: NEW => ASSIGNEDStatus comment: Patches available from upstream => (none)CVE: (none) => CVE-2021-22898
MGA7-64 Plasma on Lenovo B50 No installation issues Ref bug 238789 for tests $ curl https://www.keycdn.com <!doctype html><html lang=en prefix="og: http://ogp.me/ns#"><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=version content="6563ccb5a75f2d3d12d558fd458115ea33440917"><title>KeyCDN - Content delivery made easy</title><meta name=description content="KeyCDN is a high performance content delivery network (CDN). Our global network will deliver any digital content, such as a website, and more ...... $ curl -I https://www.keycdn.com/ HTTP/2 200 server: keycdn-engine date: Sat, 29 May 2021 14:17:21 GMT content-type: text/html last-modified: Wed, 26 May 2021 18:28:19 GMT vary: Accept-Encoding etag: W/"60ae9343-10111" expires: Sat, 05 Jun 2021 14:17:21 GMT cache-control: max-age=604800 strict-transport-security: max-age=31536000; includeSubdomains; preload content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer-when-downgrade x-cache: HIT x-edge-location: nlam access-control-allow-origin: * $ curl -o myfile.css https://www.keycdn.com/css/animate.min.css % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1438 100 1438 0 0 10126 0 --:--:-- --:--:-- --:--:-- 10055 file looks OK MCC isset to usecurl and performs OK.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OKCC: (none) => herman.viaene
Fedora has issued an advisory for this on May 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BQBFQI6AGHALKDLOL5S4ST4RMK2YG5SG/
Mga 8 x64 KDE No installation issues rpm -q curl: curl-7.74.0-1.2.mga8 tests: curl -v https://geekflare.com * Trying 2606:4700:20::681b:7773:443... * Connected to geekflare.com (2606:4700:20::681b:7773) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt * CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com * start date: Aug 8 00:00:00 2020 GMT * expire date: Aug 8 12:00:00 2021 GMT * subjectAltName: host "geekflare.com" matched cert's "geekflare.com" * issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0xfc5b00) > GET / HTTP/2 > Host: geekflare.com > user-agent: curl/7.74.0 > accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * Connection state changed (MAX_CONCURRENT_STREAMS == 256)! < HTTP/2 403 < date: Thu, 03 Jun 2021 19:04:18 GMT < content-type: text/plain; charset=UTF-8 < content-length: 16 < x-frame-options: SAMEORIGIN < cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < expires: Thu, 01 Jan 1970 00:00:01 GMT < cf-request-id: 0a74dc2a0e0000085fdb8fe000000001 < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=im8BsO7e2GPrAh4ijGZChJ6r%2F86SfHy0edB0icoWSpPbxqm0MNsGawHdciZY1hBsEtHrU4m9o5YAAFSn3hxZDCcla2H9nweVWZVWFlzyEutGUIO5BwOwKmWmmvzrc%2FwsLupFH2J1"}],"group":"cf-nel","max_age":604800} < nel: {"report_to":"cf-nel","max_age":604800} < strict-transport-security: max-age=15552000; preload < x-content-type-options: nosniff < server: cloudflare < cf-ray: 659b2fbcefea085f-CDG < alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400 < * Connection #0 to host geekflare.com left intact
CC: (none) => hdetavernier
Validating. Advisory: type: security subject: Updated curl packages fix a security vulnerability CVE: - CVE-2021-22898 src: 8: core: - curl-7.74.0-1.2.mga8 7: core: - curl-7.71.0-1.3.mga7 description: | TELNET stack contents disclosure (CVE-2021-22898). references: - https://bugs.mageia.org/show_bug.cgi?id=28971 - https://curl.se/docs/CVE-2021-22898.html - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BQBFQI6AGHALKDLOL5S4ST4RMK2YG5SG/
CC: (none) => ouaurelien, sysadmin-bugsKeywords: (none) => advisory, validated_updateWhiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0243.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED