cURL has issued an advisory on November 6: https://curl.se/docs/CVE-2024-9681.html The issue is fixed upstream in 8.11.0 (for Cauldron). Patch (for Mageia 9): https://github.com/curl/curl/commit/a94973805df96269bf
Whiteboard: (none) => MGA9TOOSource RPM: (none) => curl-8.10.1-1.mga10.src.rpm, curl-7.88.1-4.3.mga9.src.rpmStatus comment: (none) => Fixed upstream in 8.11.0 and patch available from upstreamCVE: (none) => CVE-2024-9681
Assignee: bugsquad => danCC: (none) => danStatus: NEW => ASSIGNED
Cauldron has been updated to curl-8.11.0-1.mga10
The following are available in 9/updates_testing: RPMs: curl-7.88.1-4.4.mga9 curl-debuginfo-7.88.1-4.4.mga9 curl-debugsource-7.88.1-4.4.mga9 curl-examples-7.88.1-4.4.mga9 lib64curl4-7.88.1-4.4.mga9 lib64curl4-debuginfo-7.88.1-4.4.mga9 lib64curl-devel-7.88.1-4.4.mga9 SRPMS: curl-7.88.1-4.4.mga9 Suggested advisory text (mostly cobbled together from the curl advisory): When curl is asked to use HSTS, the expiry time for a subdomain might overwrite a parent domain's cache entry, making it end sooner or later than otherwise intended. This affects curl using applications that enable HSTS and use URLs with the insecure HTTP:// scheme and perform transfers with hosts like x.example.com as well as example.com where the first host is a subdomain of the second host. This flaw also affects the curl command line tool. When triggered, this is a potential minor DoS security problem when trying to use HTTPS when that no longer works or a cleartext transmission of data that was otherwise intended to possibly be protected. This update fixes the issue so subdomains cannot affect the HSTS cache of a parent domain.
Assignee: dan => qa-bugs
Version: Cauldron => 9Source RPM: curl-8.10.1-1.mga10.src.rpm, curl-7.88.1-4.3.mga9.src.rpm => curl-7.88.1-4.3.mga9.src.rpm
Keywords: (none) => advisoryWhiteboard: MGA9TOO => (none)
Created attachment 14749 [details] Log of LC_ALL=C urpmi.update -a -ff --debug RH x86_64 LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Nonfree 32bit Updates (distrib37)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing curl-7.88.1-4.4.mga9.x86_64.rpm lib64curl4-7.88.1-4.4.mga9.x86_64.rpm lib64curl-devel-7.88.1-4.4.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/3: lib64curl4 ################################################################################################## 2/3: curl ################################################################################################## 3/3: lib64curl-devel ################################################################################################## 1/3: removing lib64curl-devel-1:7.88.1-4.3.mga9.x86_64 ################################################################################################## 2/3: removing curl-1:7.88.1-4.3.mga9.x86_64 ################################################################################################## 3/3: removing lib64curl4-1:7.88.1-4.3.mga9.x86_64 ################################################################################################## Change download manager to curl in drakrpm-editmedia And run LC_ALL=C urpmi.update -a -ff --debug , the attached log shows that works
RH x86_64 strace transmission-qt shows openat(AT_FDCWD, "/lib64/libcurl.so.4", O_RDONLY|O_CLOEXEC) = 3 The application works
CC: (none) => mageia
I run into error 22 but that is no regression i think. https://wiki.mageia.org/en/Mageia_9_Errata
CC: (none) => fri
MGA9-64 Plasma Wayland on HP-Pavillion No installation issues Ref bug 32362 for testing and bug 33020 comment 5 $ curl https://ident.me ; echo 94.105.126.32 [tester9@mach4 ~]$ rm -f /tmp/cookiejar /tmp/out.html [tester9@mach4 ~]$ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4576 100 4543 100 33 13313 96 --:--:-- --:--:-- --:--:-- 13458 [tester9@mach4 ~]$ curl -d name=yummy -d value=chocolate -d path=/ -b /tmp/cookiejar -c /tmp/cookiejar https://setcookie.net/ -o /tmp/out.html % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 4625 100 4592 100 33 24229 174 --:--:-- --:--:-- --:--:-- 24601 [tester9@mach4 ~]$ grep ' = ' /tmp/out.html <li><code>yummy = chocolate</code></li> Looks OK
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
This package was pushed today but for some reason this bug wasn't automatically closed.
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0360.html