CVE-2021-22876: libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. libcurl automatically sets the Referer: HTTP request header field in outgoing HTTP requests if the CURLOPT_AUTOREFERER option is set. With the curl tool, it is enabled with --referer ";auto". CVE-2021-22890: Enabled by default, libcurl supports the use of TLS 1.3 session tickets to resume previous TLS sessions to speed up subsequent TLS handshakes. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. This flaw can allow a malicious HTTPS proxy to MITM the traffic. Such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check. Fixed in 7.76.0, please bump.
I assume this is the same set of vulnerabilities mentioned in bug 777648?
(In reply to Emily Rowlands from comment #1) > I assume this is the same set of vulnerabilities mentioned in bug 777648? It is, although the info's here, so I'll mark that as a dup of this -- thanks!
*** Bug 777648 has been marked as a duplicate of this bug. ***
There is an HTTP/2 regression with a path available that may come in a release this weekend: https://curl.se/mail/lib-2021-04/0000.html "Turns out I did a pretty major blunder and 7.76.0 shipped with a HTTP/2 regression that makes it not enable HTTP/2 over HTTPS for 7 different TLS backends. Probably reason enough for a patch release, but the final verdict for patch release or not will happen during this coming weekend. Stay tuned."
(In reply to John Helmert III from comment #4) > There is an HTTP/2 regression with a path available that may come in a > release this weekend: https://curl.se/mail/lib-2021-04/0000.html > > "Turns out I did a pretty major blunder and 7.76.0 shipped with a HTTP/2 > regression that makes it not enable HTTP/2 over HTTPS for 7 different TLS > backends. > > Probably reason enough for a patch release, but the final verdict for patch > release or not will happen during this coming weekend. Stay tuned." I've got 7.76.0 in the tree now. Maybe way for 7.76.1?
(In reply to Anthony Basile from comment #5) > (In reply to John Helmert III from comment #4) > > There is an HTTP/2 regression with a path available that may come in a > > release this weekend: https://curl.se/mail/lib-2021-04/0000.html > > > > "Turns out I did a pretty major blunder and 7.76.0 shipped with a HTTP/2 > > regression that makes it not enable HTTP/2 over HTTPS for 7 different TLS > > backends. > > > > Probably reason enough for a patch release, but the final verdict for patch > > release or not will happen during this coming weekend. Stay tuned." > > I've got 7.76.0 in the tree now. Maybe way for 7.76.1? Coming in < 48 hrs apparently
7.76.1 is released.
(In reply to John Helmert III from comment #7) > 7.76.1 is released. Its on the tree. Go ahead and start stabilization.
x86 done
looks like 7.76.0 was stabilized on x86, instead of 7.76.1
(In reply to Scott Howard from comment #10) > looks like 7.76.0 was stabilized on x86, instead of 7.76.1 Package list fixed now. Good spot.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5785b9874b5b556912b5d12444dabcd619cc4f15 commit 5785b9874b5b556912b5d12444dabcd619cc4f15 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-04-16 04:00:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-04-16 04:00:43 +0000 net-misc/curl: Revert "Stabilize 7.76.0 x86, #779535" due to package list issue This reverts commit 5ee0f317215f5efb86b59f26348159880d2a07e9. Unclear why the package list got reverted by NATTkA(?). We want to stabilise 7.76.1. Bug: https://bugs.gentoo.org/779535 Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/curl-7.76.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
(mgorny, any ideas what happened with NATTkA here?)
hppa stable
ppc done
sparc stable
ppc64 done
arm64 done
amd64 stable
arm done all arches done
x86 done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a6aaa3e0ff967d2cb28b87dde7459845aa10269 commit 3a6aaa3e0ff967d2cb28b87dde7459845aa10269 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-05-25 01:55:58 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-05-25 01:55:58 +0000 net-misc/curl: security cleanup Bug: https://bugs.gentoo.org/779535 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-misc/curl/Manifest | 3 - net-misc/curl/curl-7.74.0-r2.ebuild | 286 ----------------------------------- net-misc/curl/curl-7.74.0-r4.ebuild | 289 ----------------------------------- net-misc/curl/curl-7.75.0.ebuild | 290 ----------------------------------- net-misc/curl/curl-7.76.0.ebuild | 291 ------------------------------------ 5 files changed, 1159 deletions(-)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202105-36 at https://security.gentoo.org/glsa/202105-36 by GLSA coordinator Thomas Deutschmann (whissi).