Bug 29461 - curl new security issues CVE-2021-2294[5-7]
Summary: curl new security issues CVE-2021-2294[5-7]
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2021-09-15 15:51 CEST by Nicolas Salguero
Modified: 2021-09-21 18:13 CEST (History)
4 users (show)

See Also:
Source RPM: curl-7.74.0-1.3.mga8.src.rpm
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2021-09-15 15:51:09 CEST
cURL has issued advisories today (September 15):
https://curl.se/docs/CVE-2021-22945.html
https://curl.se/docs/CVE-2021-22946.html
https://curl.se/docs/CVE-2021-22947.html

The issues are fixed upstream in 7.79.0.

Mageia 8 is also affected.
Nicolas Salguero 2021-09-15 15:51:43 CEST

Status comment: (none) => Fixed upstream in 7.79.0
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2021-09-15 16:06:11 CEST
Ubuntu has issued an advisory for this today (September 15):
https://ubuntu.com/security/notices/USN-5079-1
Comment 2 Nicolas Salguero 2021-09-15 16:37:17 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

UAF and double-free in MQTT sending. (CVE-2021-22945)

Protocol downgrade required TLS bypassed. (CVE-2021-22946)

STARTTLS protocol injection via MITM. (CVE-2021-22947)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22945
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22946
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22947
https://curl.se/docs/CVE-2021-22945.html
https://curl.se/docs/CVE-2021-22946.html
https://curl.se/docs/CVE-2021-22947.html
https://ubuntu.com/security/notices/USN-5079-1
========================

Updated packages in core/updates_testing:
========================
curl-7.74.0-1.4.mga8
curl-examples-7.74.0-1.4.mga8
lib(64)curl4-7.74.0-1.4.mga8
lib(64)curl-devel-7.74.0-1.4.mga8

from SRPM:
curl-7.74.0-1.4.mga8.src.rpm

Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 7.79.0 => (none)
Version: Cauldron => 8
Source RPM: (none) => curl-7.74.0-1.3.mga8.src.rpm
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

Comment 3 Herman Viaene 2021-09-18 15:02:51 CEST
MGA8-64 Plasma on Lenovo B50
No installation issues
Ref bug 28971 for testing:
$ curl https://www.keycdn.com
<!doctype html><html lang=en prefix="og: http://ogp.me/ns#"><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=version content="07c64cb353673db5f0d6a6337ef3c7c5e5958410"><title>KeyCDN - Content delivery made easy</title><meta name=description content="KeyCDN is a high performance content delivery network (CDN). Our global network will deliver any digital content, such as a website, software, or game, at a blazing fast speed."><meta name=twitter:card content="summary_large_image"><meta name=twitter
and more ......

curl -I https://www.keycdn.com/keycdn.com/
HTTP/2 200 
server: keycdn-engine
date: Sat, 18 Sep 2021 12:59:34 GMT
content-type: text/html
last-modified: Wed, 08 Sep 2021 16:47:03 GMT
vary: Accept-Encoding
etag: W/"6138e907-10111"
expires: Sat, 25 Sep 2021 12:59:34 GMT
cache-control: max-age=604800
strict-transport-security: max-age=31536000; includeSubdomains; preload
content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
x-cache: HIT
x-edge-location: nlam
access-control-allow-origin: *

$ curl -o myfile.css https://www.keycdn.com/css/animate.min.css
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1438  100  1438    0     0  16528      0 --:--:-- --:--:-- --:--:-- 16528

$ curl -v https://geekflare.com
*   Trying 104.27.119.115:443...
* Connected to geekflare.com (104.27.119.115) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
*  start date: Jul  8 00:00:00 2021 GMT
*  expire date: Jul  7 23:59:59 2022 GMT
*  subjectAltName: host "geekflare.com" matched cert's "geekflare.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xec4b00)
> GET / HTTP/2
> Host: geekflare.com
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 403 
< date: Sat, 18 Sep 2021 13:01:33 GMT
< content-type: text/plain; charset=UTF-8
< content-length: 16
< x-frame-options: SAMEORIGIN
< referrer-policy: same-origin
< cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< expires: Thu, 01 Jan 1970 00:00:01 GMT
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=z%2Bfo4tKmIU2lSW%2B%2BBAaZgjiFOmb08IJK%2BcxOXUYBPAYQ4bUtF90khxDIanFUgU0Gfo9C9qFn2TLSgzOQ6dNMY5CSUj%2FWKyMaQW%2BRcQmXFOhkMabhv5yf4R9YqPYbKiI%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=15552000; preload
< x-content-type-options: nosniff
< server: cloudflare
< cf-ray: 690ac37a0e48fa8c-AMS
< alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
< 
* Connection #0 to host geekflare.com left intact
 Looks all OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-09-20 14:32:33 CEST
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 David Walser 2021-09-21 18:13:02 CEST
Fedora has issued an advisory for this today (September 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J64OFB3I6OV4T3FD3PVSPTCKGUJCXUXX/

I heard on IRC that 7.79.0 had some regressions and another update will come soon.  Also, they said that the regressions should not affect those who backported patches (like we did), but Ubuntu did issue regression fix updates, so hopefully we're not affected.
https://ubuntu.com/security/notices/USN-5079-3

CC: (none) => luigiwalser


Note You need to log in before you can comment on or make changes to this bug.