29461 – curl new security issues CVE-2021-2294[5-7]

Bug 29461 - curl new security issues CVE-2021-2294[5-7]

Summary: curl new security issues CVE-2021-2294[5-7]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-09-15 15:51 CEST by Nicolas Salguero
Modified:	2021-09-23 06:52 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	curl-7.74.0-1.3.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2021-09-15 15:51:09 CEST

cURL has issued advisories today (September 15):
https://curl.se/docs/CVE-2021-22945.html
https://curl.se/docs/CVE-2021-22946.html
https://curl.se/docs/CVE-2021-22947.html

The issues are fixed upstream in 7.79.0.

Mageia 8 is also affected.

Nicolas Salguero 2021-09-15 15:51:43 CEST

Status comment: (none) => Fixed upstream in 7.79.0
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-09-15 16:06:11 CEST

Ubuntu has issued an advisory for this today (September 15):
https://ubuntu.com/security/notices/USN-5079-1

Comment 2 Nicolas Salguero 2021-09-15 16:37:17 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

UAF and double-free in MQTT sending. (CVE-2021-22945)

Protocol downgrade required TLS bypassed. (CVE-2021-22946)

STARTTLS protocol injection via MITM. (CVE-2021-22947)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22945
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22946
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22947
https://curl.se/docs/CVE-2021-22945.html
https://curl.se/docs/CVE-2021-22946.html
https://curl.se/docs/CVE-2021-22947.html
https://ubuntu.com/security/notices/USN-5079-1
========================

Updated packages in core/updates_testing:
========================
curl-7.74.0-1.4.mga8
curl-examples-7.74.0-1.4.mga8
lib(64)curl4-7.74.0-1.4.mga8
lib(64)curl-devel-7.74.0-1.4.mga8

from SRPM:
curl-7.74.0-1.4.mga8.src.rpm

Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Source RPM: (none) => curl-7.74.0-1.3.mga8.src.rpm
Version: Cauldron => 8
Assignee: bugsquad => qa-bugs
Status comment: Fixed upstream in 7.79.0 => (none)

Comment 3 Herman Viaene 2021-09-18 15:02:51 CEST

MGA8-64 Plasma on Lenovo B50
No installation issues
Ref bug 28971 for testing:
$ curl https://www.keycdn.com
<!doctype html><html lang=en prefix="og: http://ogp.me/ns#"><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=version content="07c64cb353673db5f0d6a6337ef3c7c5e5958410"><title>KeyCDN - Content delivery made easy</title><meta name=description content="KeyCDN is a high performance content delivery network (CDN). Our global network will deliver any digital content, such as a website, software, or game, at a blazing fast speed."><meta name=twitter:card content="summary_large_image"><meta name=twitter
and more ......

curl -I https://www.keycdn.com/keycdn.com/
HTTP/2 200 
server: keycdn-engine
date: Sat, 18 Sep 2021 12:59:34 GMT
content-type: text/html
last-modified: Wed, 08 Sep 2021 16:47:03 GMT
vary: Accept-Encoding
etag: W/"6138e907-10111"
expires: Sat, 25 Sep 2021 12:59:34 GMT
cache-control: max-age=604800
strict-transport-security: max-age=31536000; includeSubdomains; preload
content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
x-cache: HIT
x-edge-location: nlam
access-control-allow-origin: *

$ curl -o myfile.css https://www.keycdn.com/css/animate.min.css
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1438  100  1438    0     0  16528      0 --:--:-- --:--:-- --:--:-- 16528

$ curl -v https://geekflare.com
*   Trying 104.27.119.115:443...
* Connected to geekflare.com (104.27.119.115) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Jul  8 00:00:00 2021 GMT
*  expire date: Jul  7 23:59:59 2022 GMT
*  subjectAltName: host "geekflare.com" matched cert's "geekflare.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xec4b00)
> GET / HTTP/2
> Host: geekflare.com
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 403 
< date: Sat, 18 Sep 2021 13:01:33 GMT
< content-type: text/plain; charset=UTF-8
< content-length: 16
< x-frame-options: SAMEORIGIN
< referrer-policy: same-origin
< cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< expires: Thu, 01 Jan 1970 00:00:01 GMT
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=z%2Bfo4tKmIU2lSW%2B%2BBAaZgjiFOmb08IJK%2BcxOXUYBPAYQ4bUtF90khxDIanFUgU0Gfo9C9qFn2TLSgzOQ6dNMY5CSUj%2FWKyMaQW%2BRcQmXFOhkMabhv5yf4R9YqPYbKiI%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=15552000; preload
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 690ac37a0e48fa8c-AMS
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
< 
* Connection #0 to host geekflare.com left intact
 Looks all OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2021-09-20 14:32:33 CEST

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 David Walser 2021-09-21 18:13:02 CEST

Fedora has issued an advisory for this today (September 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J64OFB3I6OV4T3FD3PVSPTCKGUJCXUXX/

I heard on IRC that 7.79.0 had some regressions and another update will come soon.  Also, they said that the regressions should not affect those who backported patches (like we did), but Ubuntu did issue regression fix updates, so hopefully we're not affected.
https://ubuntu.com/security/notices/USN-5079-3

CC: (none) => luigiwalser

Dave Hodgins 2021-09-22 23:30:46 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2021-09-23 06:52:38 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0438.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.