Summary: | <net-misc/curl-7.76.0: multiple vulnerabilities (CVE-2021-{22876,22890}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | blueness, dan, mgorny, sam |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A4 [glsa+ cve] | ||
Package list: |
net-misc/curl-7.76.1
|
Runtime testing required: | --- |
Bug Depends on: | 740206 | ||
Bug Blocks: |
Description
John Helmert III
2021-03-31 12:43:41 UTC
I assume this is the same set of vulnerabilities mentioned in bug 777648? (In reply to Emily Rowlands from comment #1) > I assume this is the same set of vulnerabilities mentioned in bug 777648? It is, although the info's here, so I'll mark that as a dup of this -- thanks! *** Bug 777648 has been marked as a duplicate of this bug. *** There is an HTTP/2 regression with a path available that may come in a release this weekend: https://curl.se/mail/lib-2021-04/0000.html "Turns out I did a pretty major blunder and 7.76.0 shipped with a HTTP/2 regression that makes it not enable HTTP/2 over HTTPS for 7 different TLS backends. Probably reason enough for a patch release, but the final verdict for patch release or not will happen during this coming weekend. Stay tuned." (In reply to John Helmert III from comment #4) > There is an HTTP/2 regression with a path available that may come in a > release this weekend: https://curl.se/mail/lib-2021-04/0000.html > > "Turns out I did a pretty major blunder and 7.76.0 shipped with a HTTP/2 > regression that makes it not enable HTTP/2 over HTTPS for 7 different TLS > backends. > > Probably reason enough for a patch release, but the final verdict for patch > release or not will happen during this coming weekend. Stay tuned." I've got 7.76.0 in the tree now. Maybe way for 7.76.1? (In reply to Anthony Basile from comment #5) > (In reply to John Helmert III from comment #4) > > There is an HTTP/2 regression with a path available that may come in a > > release this weekend: https://curl.se/mail/lib-2021-04/0000.html > > > > "Turns out I did a pretty major blunder and 7.76.0 shipped with a HTTP/2 > > regression that makes it not enable HTTP/2 over HTTPS for 7 different TLS > > backends. > > > > Probably reason enough for a patch release, but the final verdict for patch > > release or not will happen during this coming weekend. Stay tuned." > > I've got 7.76.0 in the tree now. Maybe way for 7.76.1? Coming in < 48 hrs apparently 7.76.1 is released. (In reply to John Helmert III from comment #7) > 7.76.1 is released. Its on the tree. Go ahead and start stabilization. x86 done looks like 7.76.0 was stabilized on x86, instead of 7.76.1 (In reply to Scott Howard from comment #10) > looks like 7.76.0 was stabilized on x86, instead of 7.76.1 Package list fixed now. Good spot. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5785b9874b5b556912b5d12444dabcd619cc4f15 commit 5785b9874b5b556912b5d12444dabcd619cc4f15 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-04-16 04:00:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-04-16 04:00:43 +0000 net-misc/curl: Revert "Stabilize 7.76.0 x86, #779535" due to package list issue This reverts commit 5ee0f317215f5efb86b59f26348159880d2a07e9. Unclear why the package list got reverted by NATTkA(?). We want to stabilise 7.76.1. Bug: https://bugs.gentoo.org/779535 Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/curl-7.76.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (mgorny, any ideas what happened with NATTkA here?) hppa stable ppc done sparc stable ppc64 done arm64 done amd64 stable arm done all arches done x86 done all arches done Please cleanup, thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a6aaa3e0ff967d2cb28b87dde7459845aa10269 commit 3a6aaa3e0ff967d2cb28b87dde7459845aa10269 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-05-25 01:55:58 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-05-25 01:55:58 +0000 net-misc/curl: security cleanup Bug: https://bugs.gentoo.org/779535 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-misc/curl/Manifest | 3 - net-misc/curl/curl-7.74.0-r2.ebuild | 286 ----------------------------------- net-misc/curl/curl-7.74.0-r4.ebuild | 289 ----------------------------------- net-misc/curl/curl-7.75.0.ebuild | 290 ----------------------------------- net-misc/curl/curl-7.76.0.ebuild | 291 ------------------------------------ 5 files changed, 1159 deletions(-) New GLSA request filed. This issue was resolved and addressed in GLSA 202105-36 at https://security.gentoo.org/glsa/202105-36 by GLSA coordinator Thomas Deutschmann (whissi). |