cURL has issued advisories today (May 11): https://curl.se/docs/CVE-2022-27781.html https://curl.se/docs/CVE-2022-27782.html The issues are fixed upstream in 7.83.1.
For completeness/reference, CVE-2022-2777[89], CVE-2022-27780, CVE-2022-30115 were also fixed in 7.83.1, but it's already updated in Cauldron, and those issues don't affect the version in Mageia 8.
CC: (none) => nicolas.salgueroStatus comment: (none) => Fixed upstream in 7.83.1
Ubuntu has issued an advisory for this today (May 11): https://ubuntu.com/security/notices/USN-5412-1
Stig seems to be the main maintainer of curl, so assigning the bug to you.
Assignee: bugsquad => smelror
Suggested advisory: ======================== The updated packages fix security vulnerabilities: CERTINFO never-ending busy-loop. (CVE-2022-27781) TLS and SSH connection too eager reuse. (CVE-2022-27782) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27781 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27782 https://curl.se/docs/CVE-2022-27781.html https://curl.se/docs/CVE-2022-27782.html https://ubuntu.com/security/notices/USN-5412-1 ======================== Updated packages in core/updates_testing: ======================== curl-7.74.0-1.6.mga8 curl-examples-7.74.0-1.6.mga8 lib(64)curl4-7.74.0-1.6.mga8 lib(64)curl-devel-7.74.0-1.6.mga8 from SRPM: curl-7.74.0-1.6.mga8.src.rpm
Status: NEW => ASSIGNEDCVE: (none) => CVE-2022-27781, CVE-2022-27782Status comment: Fixed upstream in 7.83.1 => (none)Assignee: smelror => qa-bugs
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. ref bug 30352 $ curl https://www.keycdn.com <!doctype html><html lang=en prefix="og: http://ogp.me/ns#"><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=version content="832422ebc22a4718adc64fdf0cad4375f39e93af"><title>KeyCDN - Content delivery made easy</title><meta name=description content="KeyCDN is a high performance content delivery network (CDN). Our global network will deliver any digital content, such as a website, software, or game, at a blazing fast speed."><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@KeyCDN"><meta name=twitter:creator content="@KeyCDN"><meta property="og:url" content="https://www.keycdn.com"><meta property="og:type" content="website"><meta property="og:title" content="KeyCDN - Content delivery made easy"><meta property="og:description" content="KeyCDN is a high p....... a long list....... $ curl -I https://www.keycdn.com/keycdn.com/ HTTP/2 301 server: keycdn-engine date: Thu, 12 May 2022 12:32:51 GMT content-type: text/html content-length: 162 location: https://www.keycdn.com/keycdn.com expires: Thu, 19 May 2022 12:32:51 GMT cache-control: max-age=604800 strict-transport-security: max-age=31536000; includeSubdomains; preload content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer-when-downgrade x-cache: MISS x-edge-location: nlam access-control-allow-origin: * $ curl -o myfile.css https://www.keycdn.com/css/animate.min.css % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1438 100 1438 0 0 18675 0 --:--:-- --:--:-- --:--:-- 18675 $ curl -v https://geekflare.com * Trying 172.67.70.213:443... * Connected to geekflare.com (172.67.70.213) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt * CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 etc........ at the end < * Connection #0 to host geekflare.com left intact All OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0185.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED