cURL has issued advisories today (July 21):
The issues are fixed upstream in 7.78.0.
Mageia 8 is also affected.
Note that there's no patches for the first two CVEs; the fix is disabling metalink support in curl.
Fixed upstream in 7.78.0
SUSE has issued an advisory for this today (July 21):
This 'nobody' SRPM has been committed by different people, so assigning the bug globally.
The updated packages fix security vulnerabilities:
Wrong content via metalink not discarded. (CVE-2021-22922)
Metalink download sends credentials. (CVE-2021-22923)
Bad connection reuse due to flawed path name checks. (CVE-2021-22924)
TELNET stack contents disclosure again. (CVE-2021-22925)
Updated packages in core/updates_testing:
Fixed upstream in 7.78.0 =>
Ubuntu has issued an advisory for this on July 22:
curl command works fine for downloading a few things. Since it was just patched and has an extensive build-time test suite, extensive QA testing is not necessary. OK for Mageia 8 x86_64.
Validating. Advisory in Comment 4.
An update for this issue has been pushed to the Mageia Updates repository.