Bug 28971 - curl new security issues CVE-2021-22898 and CVE-2021-22901
Summary: curl new security issues CVE-2021-22898 and CVE-2021-22901
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-26 20:00 CEST by David Walser
Modified: 2021-06-08 23:46 CEST (History)
5 users (show)

See Also:
Source RPM: curl-7.74.0-1.1.mga8.src.rpm
CVE: CVE-2021-22898
Status comment:


Attachments

Description David Walser 2021-05-26 20:00:09 CEST
cURL has issued advisories today (May 26):
https://curl.se/docs/CVE-2021-22898.html
https://curl.se/docs/CVE-2021-22901.html

CVE-2021-22901 only affects Cauldron.

CVE-2021-22898 also affects Mageia 7 and Mageia 8.  A simple patch for that issue is linked from the advisory.

The issues are also fixed upstream in 7.77.0:
https://curl.se/changes.html#7_77_0
David Walser 2021-05-26 20:00:22 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Patches available from upstream

Comment 1 Nicolas Salguero 2021-05-28 10:02:32 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

TELNET stack contents disclosure. (CVE-2021-22898)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22898
https://curl.se/docs/CVE-2021-22898.html
========================

Updated packages in 7/core/updates_testing:
========================
curl-7.71.0-1.3.mga7
lib(64)curl4-7.71.0-1.3.mga7
lib(64)curl-devel-7.71.0-1.3.mga7
curl-examples-7.71.0-1.3.mga7

from SRPM:
curl-7.71.0-1.3.mga7.src.rpm

Updated packages in 8/core/updates_testing:
========================
curl-7.74.0-1.2.mga8
lib(64)curl4-7.74.0-1.2.mga8
lib(64)curl-devel-7.74.0-1.2.mga8
curl-examples-7.74.0-1.2.mga8

from SRPM:
curl-7.74.0-1.2.mga8.src.rpm

Source RPM: curl-7.74.0-1.mga8.src.rpm => curl-7.74.0-1.1.mga8.src.rpm
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8
Assignee: bugsquad => qa-bugs
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Status comment: Patches available from upstream => (none)
CVE: (none) => CVE-2021-22898

Comment 2 Herman Viaene 2021-05-29 16:28:08 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 238789 for tests
$ curl https://www.keycdn.com
<!doctype html><html lang=en prefix="og: http://ogp.me/ns#"><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=version content="6563ccb5a75f2d3d12d558fd458115ea33440917"><title>KeyCDN - Content delivery made easy</title><meta name=description content="KeyCDN is a high performance content delivery network (CDN). Our global network will deliver any digital content, such as a website, 
and more ......

$ curl -I https://www.keycdn.com/
HTTP/2 200 
server: keycdn-engine
date: Sat, 29 May 2021 14:17:21 GMT
content-type: text/html
last-modified: Wed, 26 May 2021 18:28:19 GMT
vary: Accept-Encoding
etag: W/"60ae9343-10111"
expires: Sat, 05 Jun 2021 14:17:21 GMT
cache-control: max-age=604800
strict-transport-security: max-age=31536000; includeSubdomains; preload
content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
x-cache: HIT
x-edge-location: nlam
access-control-allow-origin: *

$ curl -o myfile.css https://www.keycdn.com/css/animate.min.css
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1438  100  1438    0     0  10126      0 --:--:-- --:--:-- --:--:-- 10055
file looks OK

MCC isset to usecurl and performs OK.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK
CC: (none) => herman.viaene

Comment 3 David Walser 2021-05-30 04:40:52 CEST
Fedora has issued an advisory for this on May 28:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BQBFQI6AGHALKDLOL5S4ST4RMK2YG5SG/
Comment 4 Hugues Detavernier 2021-06-03 21:08:06 CEST
Mga 8 x64 KDE
No installation issues

rpm -q curl:
curl-7.74.0-1.2.mga8

tests:
curl -v https://geekflare.com
*   Trying 2606:4700:20::681b:7773:443...
* Connected to geekflare.com (2606:4700:20::681b:7773) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Aug  8 00:00:00 2020 GMT
*  expire date: Aug  8 12:00:00 2021 GMT
*  subjectAltName: host "geekflare.com" matched cert's "geekflare.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xfc5b00)
> GET / HTTP/2
> Host: geekflare.com
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 403 
< date: Thu, 03 Jun 2021 19:04:18 GMT
< content-type: text/plain; charset=UTF-8
< content-length: 16
< x-frame-options: SAMEORIGIN
< cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< expires: Thu, 01 Jan 1970 00:00:01 GMT
< cf-request-id: 0a74dc2a0e0000085fdb8fe000000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=im8BsO7e2GPrAh4ijGZChJ6r%2F86SfHy0edB0icoWSpPbxqm0MNsGawHdciZY1hBsEtHrU4m9o5YAAFSn3hxZDCcla2H9nweVWZVWFlzyEutGUIO5BwOwKmWmmvzrc%2FwsLupFH2J1"}],"group":"cf-nel","max_age":604800}
< nel: {"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=15552000; preload
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 659b2fbcefea085f-CDG
< alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
< 
* Connection #0 to host geekflare.com left intact

CC: (none) => hdetavernier

Comment 5 Aurelien Oudelet 2021-06-08 21:27:34 CEST
Validating. Advisory:

type: security
subject: Updated curl packages fix a security vulnerability
CVE:
 - CVE-2021-22898
src:
  8:
   core:
     - curl-7.74.0-1.2.mga8
  7:
   core:
     - curl-7.71.0-1.3.mga7
description: |
  TELNET stack contents disclosure (CVE-2021-22898).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=28971
 - https://curl.se/docs/CVE-2021-22898.html
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BQBFQI6AGHALKDLOL5S4ST4RMK2YG5SG/

CC: (none) => ouaurelien, sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 6 Mageia Robot 2021-06-08 23:46:29 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0243.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.