cURL has issued advisories today (September 15): https://curl.se/docs/CVE-2021-22945.html https://curl.se/docs/CVE-2021-22946.html https://curl.se/docs/CVE-2021-22947.html The issues are fixed upstream in 7.79.0. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 7.79.0Whiteboard: (none) => MGA8TOO
Ubuntu has issued an advisory for this today (September 15): https://ubuntu.com/security/notices/USN-5079-1
Suggested advisory: ======================== The updated packages fix security vulnerabilities: UAF and double-free in MQTT sending. (CVE-2021-22945) Protocol downgrade required TLS bypassed. (CVE-2021-22946) STARTTLS protocol injection via MITM. (CVE-2021-22947) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22945 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22946 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22947 https://curl.se/docs/CVE-2021-22945.html https://curl.se/docs/CVE-2021-22946.html https://curl.se/docs/CVE-2021-22947.html https://ubuntu.com/security/notices/USN-5079-1 ======================== Updated packages in core/updates_testing: ======================== curl-7.74.0-1.4.mga8 curl-examples-7.74.0-1.4.mga8 lib(64)curl4-7.74.0-1.4.mga8 lib(64)curl-devel-7.74.0-1.4.mga8 from SRPM: curl-7.74.0-1.4.mga8.src.rpm
Status: NEW => ASSIGNEDWhiteboard: MGA8TOO => (none)Source RPM: (none) => curl-7.74.0-1.3.mga8.src.rpmVersion: Cauldron => 8Assignee: bugsquad => qa-bugsStatus comment: Fixed upstream in 7.79.0 => (none)
MGA8-64 Plasma on Lenovo B50 No installation issues Ref bug 28971 for testing: $ curl https://www.keycdn.com <!doctype html><html lang=en prefix="og: http://ogp.me/ns#"><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=version content="07c64cb353673db5f0d6a6337ef3c7c5e5958410"><title>KeyCDN - Content delivery made easy</title><meta name=description content="KeyCDN is a high performance content delivery network (CDN). Our global network will deliver any digital content, such as a website, software, or game, at a blazing fast speed."><meta name=twitter:card content="summary_large_image"><meta name=twitter and more ...... curl -I https://www.keycdn.com/keycdn.com/ HTTP/2 200 server: keycdn-engine date: Sat, 18 Sep 2021 12:59:34 GMT content-type: text/html last-modified: Wed, 08 Sep 2021 16:47:03 GMT vary: Accept-Encoding etag: W/"6138e907-10111" expires: Sat, 25 Sep 2021 12:59:34 GMT cache-control: max-age=604800 strict-transport-security: max-age=31536000; includeSubdomains; preload content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer-when-downgrade x-cache: HIT x-edge-location: nlam access-control-allow-origin: * $ curl -o myfile.css https://www.keycdn.com/css/animate.min.css % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1438 100 1438 0 0 16528 0 --:--:-- --:--:-- --:--:-- 16528 $ curl -v https://geekflare.com * Trying 104.27.119.115:443... * Connected to geekflare.com (104.27.119.115) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt * CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com * start date: Jul 8 00:00:00 2021 GMT * expire date: Jul 7 23:59:59 2022 GMT * subjectAltName: host "geekflare.com" matched cert's "geekflare.com" * issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0xec4b00) > GET / HTTP/2 > Host: geekflare.com > user-agent: curl/7.74.0 > accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * Connection state changed (MAX_CONCURRENT_STREAMS == 256)! < HTTP/2 403 < date: Sat, 18 Sep 2021 13:01:33 GMT < content-type: text/plain; charset=UTF-8 < content-length: 16 < x-frame-options: SAMEORIGIN < referrer-policy: same-origin < cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < expires: Thu, 01 Jan 1970 00:00:01 GMT < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=z%2Bfo4tKmIU2lSW%2B%2BBAaZgjiFOmb08IJK%2BcxOXUYBPAYQ4bUtF90khxDIanFUgU0Gfo9C9qFn2TLSgzOQ6dNMY5CSUj%2FWKyMaQW%2BRcQmXFOhkMabhv5yf4R9YqPYbKiI%3D"}],"group":"cf-nel","max_age":604800} < nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} < strict-transport-security: max-age=15552000; preload < x-content-type-options: nosniff < server: cloudflare < cf-ray: 690ac37a0e48fa8c-AMS < alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 < * Connection #0 to host geekflare.com left intact Looks all OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Fedora has issued an advisory for this today (September 21): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J64OFB3I6OV4T3FD3PVSPTCKGUJCXUXX/ I heard on IRC that 7.79.0 had some regressions and another update will come soon. Also, they said that the regressions should not affect those who backported patches (like we did), but Ubuntu did issue regression fix updates, so hopefully we're not affected. https://ubuntu.com/security/notices/USN-5079-3
CC: (none) => luigiwalser
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0438.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED