| Summary: | <net-misc/curl-7.79.0: Multiple vulnerabilities (CVE-2021-{22945,22946,22947}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sam James <sam> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | blueness |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | A2 [glsa+] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 814485 | ||
| Bug Blocks: | |||
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9886665e4f3d22da1d722509fd5de9000a36d4d6 commit 9886665e4f3d22da1d722509fd5de9000a36d4d6 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-09-18 02:52:49 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-09-18 02:52:49 +0000 net-misc/curl: add 7.79.0 Bug: https://bugs.gentoo.org/813270 Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/Manifest | 1 + net-misc/curl/curl-7.79.0.ebuild | 293 +++++++++++++++++++++ .../curl-7.79.0-http-3digit-response-code.patch | 107 ++++++++ .../files/curl-7.79.0-http2-connection-data.patch | 43 +++ 4 files changed, 444 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc195c961bbf981a8368f108fa33ae38e4a9e1e8 commit bc195c961bbf981a8368f108fa33ae38e4a9e1e8 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-09-18 04:21:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-09-18 04:22:39 +0000 net-misc/curl: drop test case for response code Fails for now, but keeping an eye upstream. Bug: https://bugs.gentoo.org/813270 Signed-off-by: Sam James <sam@gentoo.org> .../curl-7.79.0-http-3digit-response-code.patch | 60 ---------------------- 1 file changed, 60 deletions(-) Not going to stable until at least patch release on Wednesday: https://github.com/curl/curl/issues/7738#issuecomment-922028899 (In reply to Sam James from comment #3) > Not going to stable until at least patch release on Wednesday: > https://github.com/curl/curl/issues/7738#issuecomment-922028899 7.79.1 is now on the tree and includes both back ported patches that are in 7.79.0. curl-7.79.0-http2-connection-data.patch curl-7.79.0-http-3digit-response-code.patch Please cleanup (In reply to John Helmert III from comment #5) > Please cleanup Sorry I just notice this. <net-misc/curl-7.79.0 has been off the tree for a long time. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d4066956acc3f238eef20bbbad18f982301dd80b commit d4066956acc3f238eef20bbbad18f982301dd80b Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-12-19 01:59:44 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-12-19 02:04:27 +0000 [ GLSA 202212-01 ] curl: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/803308 Bug: https://bugs.gentoo.org/813270 Bug: https://bugs.gentoo.org/841302 Bug: https://bugs.gentoo.org/843824 Bug: https://bugs.gentoo.org/854708 Bug: https://bugs.gentoo.org/867679 Bug: https://bugs.gentoo.org/878365 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202212-01.xml | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) GLSA released, all done. |
Fixed in 7.79.0: CVE-2021-22945: clear the leftovers pointer when sending succeeds CVE-2021-22946: do not ignore --ssl-reqd CVE-2021-22947: reject STARTTLS server response pipelining