Upstream has issued an advisory today (April 12): http://curl.haxx.se/docs/adv_20130412.html The issue is fixed upstream in 7.30.0 and with a patch. The patch is currently checked into Cauldron and Mageia 2 SVN. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
Patched packages uploaded for Mageia 2 and Cauldron. Advisory: ======================== Updated curl packages fix security vulnerability: libcurl is vulnerable to a cookie leak vulnerability when doing requests across domains with matching tails. This vulnerability can be used to hijack sessions in targetted attacks since registering domains using a known domain's name as an ending is trivial (CVE-2013-1944). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1944 http://curl.haxx.se/docs/adv_20130412.html ======================== Updated packages in core/updates_testing: ======================== curl-7.24.0-1.1.mga2 libcurl4-7.24.0-1.1.mga2 libcurl-devel-7.24.0-1.1.mga2 curl-examples-7.24.0-1.1.mga2 from curl-7.24.0-1.1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO => (none)
Ubuntu has issued an advisory for this on April 15: http://www.ubuntu.com/usn/usn-1801-1/
URL: (none) => http://lwn.net/Vulnerabilities/547396/
Re-diffed patch from Ubuntu added to Mageia 1 SVN.
Procedure: https://bugs.mageia.org/show_bug.cgi?id=4307#c11
Whiteboard: (none) => has_procedure
Testing complete mga2 32 Curl also as a comprehensive testsuite which runs at build time.
Whiteboard: has_procedure => has_procedure mga2-32-ok
Testing complete mga2 64 Validating SRPM & advisory in comment 1 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok mga2-64-okCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0121
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED