Those issues were announced here: https://curl.se/docs/CVE-2025-0167.html https://curl.se/docs/CVE-2025-0665.html https://curl.se/docs/CVE-2025-0725.html
Another issue was reported here: https://www.openwall.com/lists/oss-security/2025/02/05/4 (not fixed in 8.12.0)
Status comment: (none) => Fixed upstream in 8.12.0 and patches available from upstreamSource RPM: (none) => curl-8.11.1-2.mga10.src.rpm, curl-7.88.1-4.6.mga9.src.rpmWhiteboard: (none) => MGA9TOOCVE: (none) => CVE-2025-0167, CVE-2025-0665, CVE-2025-0725
The 3 curl URLS give the patches under SOLUTION. DanF has just put v8.12.0 into Cauldron. Can I pass this to you for Mageia 9 also? [It will need an Advisory etc]. Re-assign it if you prefer.
Assignee: bugsquad => dan
I've already upgraded curl to 8.12.0 in cauldron. mga9 curl is not susceptible to CVE-2025-0725 due to our zlib version. mga9 curl is not susceptible to CVE-2025-0665 due to it the flaw being introduced very recently. I snuck in a fix for CVE-2025-0167 into the last curl bugfix release (7.88.1-4.6.mga9 bug #33893). So, I don't believe there is anything left to do as far as packages is concerned. The only thing would be to create a security advisory for CVE-2025-0167. I'm not sure the best way to do that. Maybe create a new advisory on the same RPM version as bug #33893 without an associated RPM push? Is there any reason that wouldn't work?
N.B. The issue in that openwall.com link was deemed not a security issue upstream, and I concur.
You can modify the Bug 33893 advisory in SVN with the issue details and CVE and it'll be updated on the website the next time updates are pushed.
The problem is that #33893 was a bug advisory, not a security advisory.
That's fine, the text and references can still be changed (and if the issue is being disputed as a security issue, you can just add the details without feeling like you're cheating).
But, the old issue was raised as a MGAA identifier but the new one would need a MGASA identifier. I don't see how it could be reused.
All the issues are already fixed so I close my bug report.
Status: NEW => RESOLVEDResolution: (none) => FIXED
I think we should create a security advisory to notify Mageia users about the problem so risk-adverse users who only apply security fixes will see it. We should be able to follow the regular security process, except skip the actual pushing of a new release since that has already been done. We'll get an advisory at https://advisories.mageia.org/ which will create a link to the fix at https://osv.dev/vulnerability/CVE-2025-0167 so people can see what needs to be upgraded to fix that particular vulnerability. That means the list of packages for bug 33893 and this bug will be the same, which should be fine. Assuming that's path forward is acceptable, here is proposed text for the advisory: Updated curl packages fix security vulnerability When asked to use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. The fix was included previously as part of MGAA-2025-0004. https://bugs.mageia.org/show_bug.cgi?id=33992 https://bugs.mageia.org/show_bug.cgi?id=33893 https://curl.se/docs/CVE-2025-0167.html https://advisories.mageia.org/MGAA-2025-0004.html RPMS (x86_64): curl-7.88.1-4.6.mga9.x86_64.rpm curl-examples-7.88.1-4.6.mga9.noarch.rpm lib64curl4-7.88.1-4.6.mga9.x86_64.rpm lib64curl-devel-7.88.1-4.6.mga9.x86_64.rpm SRPMS: curl-7.88.1-4.6.mga9.src.rpm
Depends on: (none) => 33893Resolution: FIXED => (none)Assignee: dan => qa-bugsStatus: RESOLVED => REOPENED
That information can be added to the advisory in SVN for Bug 33893, and the advisory on the web will be updated the next time updates are pushed.
If there is a security advisory for this issue, please show me which one.
CC: (none) => dan
…keeping in mind that MGAA-2025-0004 is NOT a security advisory.
(In reply to Dan Fandrich from comment #12) > If there is a security advisory for this issue, please show me which one. grep CVE-2025-0167 * in my advisory folder not produce output
(In reply to katnatek from comment #14) > (In reply to Dan Fandrich from comment #12) > > If there is a security advisory for this issue, please show me which one. > > grep CVE-2025-0167 * in my advisory folder not produce output And the same for the others CVEs
MGA9-64: packages not found in repository???
CC: (none) => herman.viaene
The packages have already been moved to updates as part of bug 33893. They probably don't need further testing for this vulnerability since they were tested in that bug for a similar problem in .netrc handling.
CC: (none) => brtians1Whiteboard: MGA9TOO => MGA9TOO MGA9-64-OK
(In reply to Dan Fandrich from comment #17) > The packages have already been moved to updates as part of bug 33893. They > probably don't need further testing for this vulnerability since they were > tested in that bug for a similar problem in .netrc handling. All right then, validating the MGA9 update.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Changing to a MGA9 bug, based on comment 3.
Version: Cauldron => 9Whiteboard: MGA9TOO MGA9-64-OK => MGA9-64-OK
I don't know what I must do with advisory
There isn't an actual update for this bug, as the update was already released. Either the existing advisory would have to be updated, or these details would have to be added to the advisory for the next curl update, noting that these issues were actually fixed in the previous update.
If you treat this as just another security advisory and create an appropriate 33992.adv file (such as based on comment 10), it should be sufficient. The intent is to notify users that there is a security fix available to them. When the advisory is pushed, it may take a bit of coaxing because the packages have been pushed, but I'll take care of that if it's necessary.
Perhaps a blog post is better in this case?
A blog post won't update https://advisories.mageia.org, won't update https://osv.dev and won't notify users via security scanners.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0123.html
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVED
I had to bypass the SRPM validation check and the actual RPM move steps while pushing this, but the advisory is now out and published. Thanks for seeing this odd case through.