cURL has issued advisories today (March 20): https://curl.se/docs/CVE-2023-27533.html https://curl.se/docs/CVE-2023-27534.html https://curl.se/docs/CVE-2023-27535.html https://curl.se/docs/CVE-2023-27536.html https://curl.se/docs/CVE-2023-27537.html https://curl.se/docs/CVE-2023-27538.html The issues are fixed upstream in 8.0.0. Mageia 8 is also affected by all those issues except CVE-2023-27537.
Whiteboard: (none) => MGA8TOOCC: (none) => nicolas.salgueroSource RPM: (none) => curl-7.88.1-1.mga9.src.rpm
cURL 8.0.1 was released to fix a bug present in 8.0.0.
Status comment: (none) => Fixed upstream in 8.0.1
*** Bug 31704 has been marked as a duplicate of this bug. ***
CC: (none) => luigiwalser
Ubuntu has issued an advisory for this today (March 20): https://ubuntu.com/security/notices/USN-5964-1
Assigning to Stig who currently updates curl.
Assignee: bugsquad => smelror
I've sent this over to my Padawan to look at. Will update when he's done the necessary changes.
Hi, Sorry to have cut the grass underfoot. For Cauldron, I added the patches from Debian. For Mga8, I had to mix and adapt the patches from Ubuntu. Best regards, Nico.
(In reply to Nicolas Salguero from comment #6) > Hi, > > Sorry to have cut the grass underfoot. > > For Cauldron, I added the patches from Debian. > > For Mga8, I had to mix and adapt the patches from Ubuntu. > > Best regards, > > Nico. No worries :-)
(In reply to Nicolas Salguero from comment #6) > Hi, > > Sorry to have cut the grass underfoot. > > For Cauldron, I added the patches from Debian. > > For Mga8, I had to mix and adapt the patches from Ubuntu. > > Best regards, > > Nico. Are we going to push a build with these fixes?
cURL has issued advisories on May 17: https://curl.se/docs/CVE-2023-28319.html https://curl.se/docs/CVE-2023-28320.html https://curl.se/docs/CVE-2023-28321.html https://curl.se/docs/CVE-2023-28322.html The issues are fixed upstream in 8.0.1. Mageia 8 is affected by all but CVE-2023-28319.
Summary: curl new security issues CVE-2023-2753[3-8] => curl new security issues CVE-2023-2753[3-8], CVE-2023-28319, CVE-2023-2832[0-2]
Correction, the new issues are fixed upstream in 8.1.0: https://curl.se/changes.html
Status comment: Fixed upstream in 8.0.1 => Fixed upstream in 8.1.0
SUSE has issued an advisory for the latest issues on May 17: https://lists.suse.com/pipermail/sle-security-updates/2023-May/014913.html
Hi, curl-7.88.1-3.mga9 fixes all those CVEs. Best regards,
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
I forgot to say that curl-7.74.0-1.12.mga8 fixes CVE-2023-2753[3-8], CVE-2023-28319.
Oops, only CVE-2023-2753[3-8], not CVE-2023-28319.
cURL has issued an advisory on July 19: https://curl.se/docs/CVE-2023-32001.html The issue is fixed upstream in 8.2.0. Mageia 8 is also affected.
Summary: curl new security issues CVE-2023-2753[3-8], CVE-2023-28319, CVE-2023-2832[0-2] => curl new security issues CVE-2023-2753[3-8], CVE-2023-28319, CVE-2023-2832[0-2], CVE-2023-32001Version: 8 => CauldronStatus comment: Fixed upstream in 8.1.0 => Fixed upstream in 8.2.0Whiteboard: (none) => MGA8TOO
CVE-2023-32001 was finally rejected as it is no more considered as a security issue. cURL has issued an advisory on September 13: https://curl.se/docs/CVE-2023-38039.html The issue is fixed upstream in 8.3.0. Mageia 8 is not affected by that CVE.
Version: Cauldron => 9Status comment: Fixed upstream in 8.2.0 => Fixed upstream in 8.3.0Summary: curl new security issues CVE-2023-2753[3-8], CVE-2023-28319, CVE-2023-2832[0-2], CVE-2023-32001 => curl new security issues CVE-2023-2753[3-8], CVE-2023-28319, CVE-2023-2832[0-2], CVE-2023-38039
Ubuntu has issued an advisory for CVE-2023-38039 on September 13: https://ubuntu.com/security/notices/USN-6363-1
Suggested advisory: ======================== The updated packages fix security vulnerabilities: TELNET option IAC injection. (CVE-2023-27533) SFTP path ~ resolving discrepancy. (CVE-2023-27534) FTP too eager connection reuse. (CVE-2023-27535) GSS delegation too eager connection re-use. (CVE-2023-27536) HSTS double free. (CVE-2023-27537) SSH connection too eager reuse still. (CVE-2023-27538) UAF in SSH sha256 fingerprint check. (CVE-2023-28319) siglongjmp race condition. (CVE-2023-28320) IDN wildcard match. (CVE-2023-28321) more POST-after-PUT confusion. (CVE-2023-28322) HTTP headers eat all memory. (CVE-2023-38039) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27533 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27534 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27535 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27536 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27537 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27538 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28319 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28320 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28321 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28322 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38039 https://curl.se/docs/CVE-2023-27533.html https://curl.se/docs/CVE-2023-27534.html https://curl.se/docs/CVE-2023-27535.html https://curl.se/docs/CVE-2023-27536.html https://curl.se/docs/CVE-2023-27537.html https://curl.se/docs/CVE-2023-27538.html https://ubuntu.com/security/notices/USN-5964-1 https://curl.se/docs/CVE-2023-28319.html https://curl.se/docs/CVE-2023-28320.html https://curl.se/docs/CVE-2023-28321.html https://curl.se/docs/CVE-2023-28322.html https://lists.suse.com/pipermail/sle-security-updates/2023-May/014913.html https://curl.se/docs/CVE-2023-32001.html https://curl.se/docs/CVE-2023-38039.html https://ubuntu.com/security/notices/USN-6363-1 ======================== Updated packages in 9/core/updates_testing: ======================== curl-7.88.1-3.1.mga9 curl-examples-7.88.1-3.1.mga9 lib(64)curl4-7.88.1-3.1.mga9 lib(64)curl-devel-7.88.1-3.1.mga9 from SRPM: curl-7.88.1-3.1.mga9.src.rpm Updated packages in 8/core/updates_testing: ======================== curl-7.74.0-1.13.mga8 curl-examples-7.74.0-1.13.mga8 lib(64)curl4-7.74.0-1.13.mga8 lib(64)curl-devel-7.74.0-1.13.mga8 from SRPM: curl-7.74.0-1.13.mga8.src.rpm
Source RPM: curl-7.88.1-1.mga9.src.rpm => curl-7.88.1-3.mga9.src.rpmStatus comment: Fixed upstream in 8.3.0 => (none)Assignee: smelror => qa-bugsStatus: NEW => ASSIGNED
Tested on m8 and m9. Validating.
CC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA8TOO => MGA8TOO MGA8-64-OK MGA9-64-OKKeywords: (none) => validated_update
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0263.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED