30410 – curl new security issues CVE-2022-2778[12]

Bug 30410 - curl new security issues CVE-2022-2778[12]

Summary: curl new security issues CVE-2022-2778[12]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-05-11 19:46 CEST by David Walser
Modified:	2022-05-15 12:08 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	curl-7.74.0-1.5.mga8.src.rpm
CVE:	CVE-2022-27781, CVE-2022-27782
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-05-11 19:46:14 CEST

cURL has issued advisories today (May 11):
https://curl.se/docs/CVE-2022-27781.html
https://curl.se/docs/CVE-2022-27782.html

The issues are fixed upstream in 7.83.1.

Comment 1 David Walser 2022-05-11 19:47:27 CEST

For completeness/reference, CVE-2022-2777[89], CVE-2022-27780, CVE-2022-30115 were also fixed in 7.83.1, but it's already updated in Cauldron, and those issues don't affect the version in Mageia 8.

CC: (none) => nicolas.salguero
Status comment: (none) => Fixed upstream in 7.83.1

Comment 2 David Walser 2022-05-11 20:10:04 CEST

Ubuntu has issued an advisory for this today (May 11):
https://ubuntu.com/security/notices/USN-5412-1

Comment 3 Lewis Smith 2022-05-11 21:31:29 CEST

Stig seems to be the main maintainer of curl, so assigning the bug to you.

Assignee: bugsquad => smelror

Comment 4 Nicolas Salguero 2022-05-12 09:44:57 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

CERTINFO never-ending busy-loop. (CVE-2022-27781)

TLS and SSH connection too eager reuse. (CVE-2022-27782)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27781
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27782
https://curl.se/docs/CVE-2022-27781.html
https://curl.se/docs/CVE-2022-27782.html
https://ubuntu.com/security/notices/USN-5412-1
========================

Updated packages in core/updates_testing:
========================
curl-7.74.0-1.6.mga8
curl-examples-7.74.0-1.6.mga8
lib(64)curl4-7.74.0-1.6.mga8
lib(64)curl-devel-7.74.0-1.6.mga8

from SRPM:
curl-7.74.0-1.6.mga8.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2022-27781, CVE-2022-27782
Status comment: Fixed upstream in 7.83.1 => (none)
Assignee: smelror => qa-bugs

Comment 5 Herman Viaene 2022-05-12 14:36:11 CEST

MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
ref bug 30352
$ curl https://www.keycdn.com
<!doctype html><html lang=en prefix="og: http://ogp.me/ns#"><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=version content="832422ebc22a4718adc64fdf0cad4375f39e93af"><title>KeyCDN - Content delivery made easy</title><meta name=description content="KeyCDN is a high performance content delivery network (CDN). Our global network will deliver any digital content, such as a website, software, or game, at a blazing fast speed."><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@KeyCDN"><meta name=twitter:creator content="@KeyCDN"><meta property="og:url" content="https://www.keycdn.com"><meta property="og:type" content="website"><meta property="og:title" content="KeyCDN - Content delivery made easy"><meta property="og:description" content="KeyCDN is a high p....... a long list.......

$ curl -I https://www.keycdn.com/keycdn.com/
HTTP/2 301 
server: keycdn-engine
date: Thu, 12 May 2022 12:32:51 GMT
content-type: text/html
content-length: 162
location: https://www.keycdn.com/keycdn.com
expires: Thu, 19 May 2022 12:32:51 GMT
cache-control: max-age=604800
strict-transport-security: max-age=31536000; includeSubdomains; preload
content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
x-cache: MISS
x-edge-location: nlam
access-control-allow-origin: *

$ curl -o myfile.css https://www.keycdn.com/css/animate.min.css
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1438  100  1438    0     0  18675      0 --:--:-- --:--:-- --:--:-- 18675

$ curl -v https://geekflare.com
*   Trying 172.67.70.213:443...
* Connected to geekflare.com (172.67.70.213) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
etc........
at the  end
< 
* Connection #0 to host geekflare.com left intact

All  OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2022-05-13 14:50:10 CEST

Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-05-15 00:38:12 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2022-05-15 12:08:09 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0185.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.