cURL has issued advisories today (July 21): https://curl.se/docs/CVE-2021-22922.html https://curl.se/docs/CVE-2021-22923.html https://curl.se/docs/CVE-2021-22924.html https://curl.se/docs/CVE-2021-22925.html The issues are fixed upstream in 7.78.0. Mageia 8 is also affected.
Note that there's no patches for the first two CVEs; the fix is disabling metalink support in curl.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 7.78.0
SUSE has issued an advisory for this today (July 21): https://lists.suse.com/pipermail/sle-security-updates/2021-July/009187.html
This 'nobody' SRPM has been committed by different people, so assigning the bug globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Wrong content via metalink not discarded. (CVE-2021-22922) Metalink download sends credentials. (CVE-2021-22923) Bad connection reuse due to flawed path name checks. (CVE-2021-22924) TELNET stack contents disclosure again. (CVE-2021-22925) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22922 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22923 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22924 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22925 https://curl.se/docs/CVE-2021-22922.html https://curl.se/docs/CVE-2021-22923.html https://curl.se/docs/CVE-2021-22924.html https://curl.se/docs/CVE-2021-22925.html https://lists.suse.com/pipermail/sle-security-updates/2021-July/009187.html ======================== Updated packages in core/updates_testing: ======================== curl-7.74.0-1.3.mga8 curl-examples-7.74.0-1.3.mga8 lib(64)curl4-7.74.0-1.3.mga8 lib(64)curl-devel-7.74.0-1.3.mga8 from SRPM: curl-7.74.0-1.3.mga8.src.rpm
Status: NEW => ASSIGNEDVersion: Cauldron => 8CC: (none) => nicolas.salgueroSource RPM: curl-7.77.0-1.mga9.src.rpm => curl-7.74.0-1.2.mga8.src.rpmWhiteboard: MGA8TOO => (none)Assignee: pkg-bugs => qa-bugsStatus comment: Fixed upstream in 7.78.0 => (none)
Ubuntu has issued an advisory for this on July 22: https://ubuntu.com/security/notices/USN-5021-1
curl command works fine for downloading a few things. Since it was just patched and has an extensive build-time test suite, extensive QA testing is not necessary. OK for Mageia 8 x86_64.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CVE: (none) => CVE-2021-2292[2-5]Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0384.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED