cURL has issued advisories today (December 21): https://curl.se/docs/CVE-2022-43551.html https://curl.se/docs/CVE-2022-43552.html It says that the first issue was introduced in 7.77.0, but we need to check that it wasn't also introduced by patches to fix CVE-2022-42916 and CVE-2022-30115, given the description. The issues are fixed upstream in 7.87.0.
Status comment: (none) => Fixed upstream in 7.87.0
openSUSE has issued an advisory for this today (December 21): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SQ4FFB6OHYJ2NLJSNA767MNOKSZ3XGF2/
Various packagers deal with curl, so best to assign this bug globally.
Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory for this on December 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVWZW5CNSJ7UYAF2BGSYAWAEXDJYUBHA/
cURL 7.74 is not build with HSTS support so CVE-2022-43551 does not affect Mageia 8, even if the code was affected by that CVE. For that reason, I backported the upstream patch to ensure that, if we rebuild cURL with HSTS in the future, there will be no problem.
CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Another HSTS bypass via IDN. (CVE-2022-43551) HTTP Proxy deny use-after-free. (CVE-2022-43552) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43551 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43552 https://curl.se/docs/CVE-2022-43551.html https://curl.se/docs/CVE-2022-43552.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/SQ4FFB6OHYJ2NLJSNA767MNOKSZ3XGF2/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TVWZW5CNSJ7UYAF2BGSYAWAEXDJYUBHA/ ======================== Updated packages in core/updates_testing: ======================== curl-7.74.0-1.10.mga8 curl-examples-7.74.0-1.10.mga8 lib(64)curl4-7.74.0-1.10.mga8 lib(64)curl-devel-7.74.0-1.10.mga8 from SRPM: curl-7.74.0-1.10.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDStatus comment: Fixed upstream in 7.87.0 => (none)
MGA8-64 MATE on Acer Aspire 5253 No installation issues Following lead from bugs 30794 and 31031: $ curl https://www.keycdn.com | more % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0<!doctype html><html lang=en prefix="og: http://ogp.me/ns#"><head><meta charset=utf-8><meta name=viewport content="width=d evice-width,initial-scale=1,shrink-to-fit=no"><meta name=version content="4630a376cd49342fc7ee8bdef3bdbd817b7541d3"><title >KeyCDN - Content delivery made easy</title><meta name=description content="KeyCDN is a high performance content delivery etc ....... $ curl -I https://www.keycdn.com/keycdn.com/ HTTP/2 301 server: keycdn-engine date: Thu, 29 Dec 2022 10:20:53 GMT content-type: text/html content-length: 162 location: https://www.keycdn.com/keycdn.com expires: Thu, 05 Jan 2023 10:20:53 GMT cache-control: max-age=604800 strict-transport-security: max-age=31536000; includeSubdomains; preload content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data: x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: no-referrer-when-downgrade x-cache: MISS x-edge-location: nlam access-control-allow-origin: * $ curl -o myfile.css https://www.keycdn.com/css/animate.min.css % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1438 100 1438 0 0 8078 0 --:--:-- --:--:-- --:--:-- 8124 $ curl -v https://geekflare.com * Trying 172.66.43.163:443... * Connected to geekflare.com (172.66.43.163) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt * CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com * start date: Jun 7 00:00:00 2022 GMT * expire date: Jun 6 23:59:59 2023 GMT etc ----- and at the end: * Connection #0 to host geekflare.com left intact Contining along TJ's test in bug 31031
CC: (none) => herman.viaene
Rebooted and Wifi was up OK. Nevertheless went to MCC - NM to do the configuration over. Worked all OK.
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0483.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED