Those issues were announced here: https://curl.se/docs/CVE-2024-2004.html https://curl.se/docs/CVE-2024-2379.html https://curl.se/docs/CVE-2024-2398.html https://curl.se/docs/CVE-2024-2466.html Mageia 9 is affected by CVE-2024-2004 and CVE-2024-2398.
Source RPM: (none) => curl-8.6.0-3.mga10.src.rpmCVE: (none) => CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in 8.7.0 and patches available from upstream
Assigning this to you, Dan, as you seem to be the principle maintainer of curl.
Assignee: bugsquad => dan
I should probably make that official…
Status: NEW => ASSIGNED
Only CVE-2024-2398 and CVE-2024-2004 apply to mga9 (ver. 7.88.1) as well as our package of 8.6.0 in Cauldron. I have a feeling there will a point release in a few days and since neither of them are high severity I'll hold off on updating Cauldron for the moment.
I accidentally bumped the rel instead of the subrel, but curl-7.88.1-4.3.mga9 is now available in updates_testing (the rel bump shouldn't matter because cauldron is way ahead of this version). Proposed advisory: Patched curl/libcurl fixes security vulnerabilities CVE-2024-2004: Usage of disabled protocol If all protocols are disabled at run-time with none being added, curl/libcurl would still allow communication with the default set of allowed protocols, including some that are unencrypted. CVE-2024-2398: HTTP/2 push headers memory-leak A memory leak could occur when an application enabled HTTP/2 server push and the server sent a large number of headers. References: https://curl.se/docs/CVE-2024-2004.html https://curl.se/docs/CVE-2024-2398.html New RPMs: - i586: curl-examples-7.88.1-4.3.mga9.noarch.rpm libcurl4-7.88.1-4.3.mga9.i586.rpm curl-7.88.1-4.3.mga9.i586.rpm libcurl-devel-7.88.1-4.3.mga9.i586.rpm curl-debugsource-7.88.1-4.3.mga9.i586.rpm curl-debuginfo-7.88.1-4.3.mga9.i586.rpm libcurl4-debuginfo-7.88.1-4.3.mga9.i586.rpm - x86_64: curl-examples-7.88.1-4.3.mga9.noarch.rpm lib64curl-devel-7.88.1-4.3.mga9.x86_64.rpm lib64curl4-7.88.1-4.3.mga9.x86_64.rpm curl-7.88.1-4.3.mga9.x86_64.rpm curl-debuginfo-7.88.1-4.3.mga9.x86_64.rpm curl-debugsource-7.88.1-4.3.mga9.x86_64.rpm lib64curl4-debuginfo-7.88.1-4.3.mga9.x86_64.rpm - armv7hl: libcurl-devel-7.88.1-4.3.mga9.armv7hl.rpm libcurl4-7.88.1-4.3.mga9.armv7hl.rpm curl-examples-7.88.1-4.3.mga9.noarch.rpm curl-7.88.1-4.3.mga9.armv7hl.rpm curl-debugsource-7.88.1-4.3.mga9.armv7hl.rpm curl-debuginfo-7.88.1-4.3.mga9.armv7hl.rpm libcurl4-debuginfo-7.88.1-4.3.mga9.armv7hl.rpm - aarch64: lib64curl-devel-7.88.1-4.3.mga9.aarch64.rpm curl-examples-7.88.1-4.3.mga9.noarch.rpm lib64curl4-7.88.1-4.3.mga9.aarch64.rpm curl-7.88.1-4.3.mga9.aarch64.rpm curl-debuginfo-7.88.1-4.3.mga9.aarch64.rpm lib64curl4-debuginfo-7.88.1-4.3.mga9.aarch64.rpm curl-debugsource-7.88.1-4.3.mga9.aarch64.rpm - source: curl-7.88.1-4.3.mga9.src.rpm Test procedure for CVE-2024-2004: Run: curl --no-progress-meter --proto -all http://curl.se The result should be: curl: (1) Protocol "http" disabled If the result is no output, curl is buggy. I'm not aware of an easy test procedure for CVE-2024-2398.
Whiteboard: MGA9TOO => MGA9TOO, has_procedureQA Contact: security => qa-bugs
Keywords: (none) => advisory
Assignee: dan => qa-bugsQA Contact: qa-bugs => security
RH mageia 9 x86_64 Before the update curl --no-progress-meter --proto -all http://curl.se Produce empty output LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing lib64curl4-7.88.1-4.3.mga9.x86_64.rpm lib64curl-devel-7.88.1-4.3.mga9.x86_64.rpm curl-7.88.1-4.3.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/3: lib64curl4 ################################################################################################## 2/3: lib64curl-devel ################################################################################################## 3/3: curl ################################################################################################## 1/3: removing lib64curl-devel-1:7.88.1-3.3.mga9.x86_64 ################################################################################################## 2/3: removing curl-1:7.88.1-3.3.mga9.x86_64 ################################################################################################## 3/3: removing lib64curl4-1:7.88.1-3.3.mga9.x86_64 ################################################################################################## After the update curl --no-progress-meter --proto -all http://curl.se curl: (1) Protocol "http" not supported or disabled in libcurl
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues Ref bug 32362 for testing and comment 5 above: $ curl --no-progress-meter --proto -all http://curl.se curl: (1) Protocol "http" not supported or disabled in libcurl Tests as in bug 32362, but tor test omitted (not enough time) $ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4252 100 4219 100 33 11406 89 --:--:-- --:--:-- --:--:-- 11523 $ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4301 100 4268 100 33 23374 180 --:--:-- --:--:-- --:--:-- 23502 $ grep ' = ' /tmp/out.html <li><code>yummy = chocolate</code></li> Looks OK for me AFAICS
CC: (none) => herman.viaene
CC: (none) => andrewsfarm
Whiteboard: MGA9TOO, has_procedure => MGA9-64-OK, has_procedureVersion: Cauldron => 9
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0099.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED