cURL has issued an advisory today (August 31): https://curl.se/docs/CVE-2022-35252.html The issue is fixed upstream in 7.85.0. Mageia 8 is also affected.
CC: (none) => smelrorStatus comment: (none) => Fixed upstream in 7.85.0Whiteboard: (none) => MGA8TOO
Suggested advisory: ======================== The updated packages fix a security vulnerability: Control code in cookie denial of service. (CVE-2022-35252) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35252 https://curl.se/docs/CVE-2022-35252.html ======================== Updated packages in core/updates_testing: ======================== curl-7.74.0-1.8.mga8 curl-examples-7.74.0-1.8.mga8 lib(64)curl4-7.74.0-1.8.mga8 lib(64)curl-devel-7.74.0-1.8.mga8 from SRPM: curl-7.74.0-1.8.mga8.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroSource RPM: curl-7.84.0-1.mga9.src.rpm => curl-7.74.0-1.7.mga8.src.rpmVersion: Cauldron => 8CVE: (none) => CVE-2022-35252Status: NEW => ASSIGNEDStatus comment: Fixed upstream in 7.85.0 => (none)
Ubuntu has issued an advisory for this on September 1: https://ubuntu.com/security/notices/USN-5587-1
Fedora has issued an advisory for this today (September 6): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TXSXGBF37COLVO73E7EGYA34POPEHESU/
MGA8 64 Updated with QA repo and rmps: curl-7.74.0-1.8.mga8 curl-examples-7.74.0-1.8.mga8 lib(64)curl4-7.74.0-1.8.mga8 lib(64)curl-devel-7.74.0-1.8.mga8 No installation issue. curl --version curl 7.74.0 (x86_64-mageia-linux-gnu) libcurl/7.74.0 OpenSSL/1.1.1q zlib/1.2.12 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.9.6/gnutls/zlib nghttp2/1.42.0 Release-Date: 2020-12-09 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets curl -I https://www.mageia.org/fr/ HTTP/1.1 200 OK Date: Mon, 12 Sep 2022 13:34:38 GMT Server: Apache Content-Type: text/html; charset=UTF-8
CC: (none) => guillaume.royer
MGA8-64 Plasma on Acer Aspire 5253 No installation issues Ref bug 30410 for testing $ curl https://www.keycdn.com <!doctype html><html lang=en prefix="og: http://ogp.me/ns#"><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=version content="e1dba63e99ec2d19c042d862faa82e014d93583f"><title>KeyCDN - Content delivery made easy</title><meta name=description content="KeyCDN is a high performance content delivery network (CDN). Our global network will deliver any digital content, such as a website, software, or game, at a blazing fast speed."><meta name=twitter:card content="summary_large_image"><meta name=twitter:site content="@KeyCDN"><meta name=twitter:creator content="@KeyCDN"><meta property etc ...... $ curl -I https://www.keycdn.com/keycdn.com/ HTTP/2 301 server: keycdn-engine date: Thu, 15 Sep 2022 13:12:50 GMT content-type: text/html content-length: 162 location: https://www.keycdn.com/keycdn.com expires: Thu, 22 Sep 2022 13:12:50 GMT cache-control: max-age=604800 strict-transport-security: max-age=31536000; includeSubdomains; preload content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer-when-downgrade x-cache: MISS x-edge-location: nlam access-control-allow-origin: * $ curl -o myfile.css https://www.keycdn.com/css/animate.min.css % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1438 100 1438 0 0 8610 0 --:--:-- --:--:-- --:--:-- 8662 $ curl -v https://geekflare.com * Trying 172.66.43.163:443... * Connected to geekflare.com (172.66.43.163) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt * CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): etc ... and at the end * Connection #0 to host geekflare.com left intact This seems all to be correct.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0333.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED