Bug 31554 - curl new security issue CVE-2023-23916
Summary: curl new security issue CVE-2023-23916
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-02-15 17:10 CET by David Walser
Modified: 2023-02-20 22:27 CET (History)
6 users (show)

See Also:
Source RPM: curl-7.74.0-1.10.mga8.src.rpm
CVE: CVE-2023-23916
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-02-15 17:10:57 CET 
cURL has issued advisories today (February 15):
https://curl.se/docs/CVE-2023-23914.html
https://curl.se/docs/CVE-2023-23915.html
https://curl.se/docs/CVE-2023-23916.html

The issues are fixed upstream in 7.88.0.

Stig-Ørjan has already updated Cauldron.

Mageia 8 is also affected by CVE-2023-23916.
Comment 1 Lewis Smith 2023-02-15 21:06:54 CET 
Assigning to Stig, but if this is not appropriate, CC'ing NicolasS who did the last CVE update.

CC: (none) => nicolas.salguero
Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2023-02-15 22:34:14 CET 
7.88.0 was sent to the build system for Cauldron earlier today.
Comment 3 David Walser 2023-02-15 22:35:13 CET 
(In reply to Stig-Ørjan Smelror from comment #2)
> 7.88.0 was sent to the build system for Cauldron earlier today.

Yes, already noted.  Mageia 8 needs to be patched.
Comment 4 Nicolas Salguero 2023-02-16 15:33:36 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

HTTP multi-header compression denial of service. (CVE-2023-23916)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23916
https://curl.se/docs/CVE-2023-23916.html
========================

Updated packages in core/updates_testing:
========================
curl-7.74.0-1.11.mga8
curl-examples-7.74.0-1.11.mga8
lib(64)curl4-7.74.0-1.11.mga8
lib(64)curl-devel-7.74.0-1.11.mga8

from SRPM:
curl-7.74.0-1.11.mga8.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2023-23916
Assignee: smelror => qa-bugs

Comment 5 Herman Viaene 2023-02-17 17:02:53 CET 
As in bug 31306 rebooted, wifi is OK and checked settingsn in Netwerk Center: all OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 6 Morgan Leijström 2023-02-17 17:36:55 CET 
mga8 -64, plasma, nvidia-current, intel i7, Swedish

Updated existing packages to:
- curl-7.74.0-1.11.mga8.x86_64
- lib64curl-devel-7.74.0-1.11.mga8.x86_64
- lib64curl4-7.74.0-1.11.mga8.x86_64

rebooted.

downloaded a file from internet OK

Due to Bug 24362 - Change default package downloader to wget 
*I* am *not* testing it for updates use

CC: (none) => fri

Comment 7 Thomas Andrews 2023-02-18 15:16:32 CET 
Validating. Advisory in comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-20 20:54:00 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2023-02-20 22:27:07 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0054.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.