cURL has issued an advisory on December 11: https://curl.se/docs/CVE-2024-11053.html Fix: https://github.com/curl/curl/commit/e9b9bbac22c26cf6731
Source RPM: (none) => curl-8.11.0-2.mga10.src.rpm, curl-7.88.1-4.4.mga9.src.rpmWhiteboard: (none) => MGA9TOOStatus comment: (none) => Fixed upstream in 8.11.1 and patch available from upstreamCVE: (none) => CVE-2024-11053
Cauldron has been updated to 8.11.1
Status: NEW => ASSIGNEDAssignee: bugsquad => danCC: (none) => dan
There have been some significant changes to the netrc parsing code since 7.88.1, so rather than try to back-port the changes in logic, I applied minimal subsets of the previous commits necessary to apply the final fix. This made for a somewhat larger patch than strictly necessary, but if you exclude the netrc file and the added regression tests to verify the fix, there's really not that much more.
curl-7.88.1-4.5.mga9 is available in updates_testing. The patch includes three new tests 478, 479 and 480 to verify the fix, which can be checked in the build logs as having passed. A related non-security issue is also fixed, which is verified by tests 998 and 999. RPMS: curl-7.88.1-4.5.mga9 lib64curl4-7.88.1-4.5.mga9 lib64curl-devel-7.88.1-4.5.mga9 curl-examples-7.88.1-4.5.mga9 curl-debuginfo-7.88.1-4.5.mga9 curl-debugsource-7.88.1-4.5.mga9 SRPMS: curl-7.88.1-4.5.mga9.src.rpm Suggested advisory notice: When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password. This update fixes this logic to avoid sending a password to the wrong host.
Assignee: dan => qa-bugs
Version: Cauldron => 9Source RPM: curl-8.11.0-2.mga10.src.rpm, curl-7.88.1-4.4.mga9.src.rpm => curl-7.88.1-4.4.mga9.src.rpmWhiteboard: MGA9TOO => (none)
Keywords: (none) => advisory
Mageia x64 GNOME Updated with RPMs: curl 7.88.1 4.5.mga9 x86_64 lib64curl-devel 7.88.1 4.5.mga9 x86_64 lib64curl4 7.88.1 4.5.mga9 x86_64 No issues after installation. curl -I https://www.mageia.org/fr/ HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 07:28:42 GMT Server: Apache Vary: User-Agent Content-Type: text/html; charset=UTF-8 curl -O https://geex.freeboxos.fr/distrib/9/x86_64/install/images/Mageia-9-netinstall-x86_64.iso % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 70.0M 100 70.0M 0 0 56.2M 0 0:00:01 0:00:01 --:--:-- 56.2M NOTA: curl-debuginfo-7.88.1-4.5.mga9 curl-debugsource-7.88.1-4.5.mga9 are not in update testing
CC: (none) => guillaume.royer
MGA9-64 Plasma Wayland on Compaq H000SB No installation issues. Repeated tests above: $ curl -I https://www.mageia.org/fr/r/ HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 10:53:52 GMT Server: Apache Vary: User-Agent Content-Type: text/html; charset=UTF-8 [tester9@mach3 ~]$ cd tmp [tester9@mach3 tmp]$ curl -O https://geex.freeboxos.fr/distrib/9/x86_64/install/images/Mageia-9-netinstall-x86_64.iso % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 70.0M 100 70.0M 0 0 6330k 0 0:00:11 0:00:11 --:--:-- 6462k file downloaded OK. This is similar to tests on previous updates, so OK.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
(In reply to Guillaume Royer from comment #4) > NOTA: > > curl-debuginfo-7.88.1-4.5.mga9 > curl-debugsource-7.88.1-4.5.mga9 > > are not in update testing That packages are in the debug repositories testing flavor, not for testing by qa
RH x86_64 installing lib64curl4-7.88.1-4.5.mga9.x86_64.rpm lib64curl-devel-7.88.1-4.5.mga9.x86_64.rpm curl-7.88.1-4.5.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ################################################################################################## 1/3: lib64curl4 ################################################################################################## 2/3: lib64curl-devel ################################################################################################## 3/3: curl ################################################################################################## 1/3: removing lib64curl-devel-1:7.88.1-4.4.mga9.x86_64 ################################################################################################## 2/3: removing curl-1:7.88.1-4.4.mga9.x86_64 ################################################################################################## 3/3: removing lib64curl4-1:7.88.1-4.4.mga9.x86_64 ################################################################################################## Switch to curl as dowloadmanager in drakrpm-editmedia urpmi.update -a --debug Works
CC: (none) => andrewsfarm
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0391.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED