Your message dated Thu, 08 Apr 2021 13:18:40 +0000 with message-id <e1luuys-0003c3...@fasolo.debian.org> and subject line Bug#986270: fixed in curl 7.74.0-1.2 has caused the Debian Bug report #986270, regarding curl: CVE-2021-22890 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 986270: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986270 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: curl Version: 7.74.0-1.1 Severity: serious Tags: security upstream Justification: security regression from stable X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 7.64.0-4 Control: fixed -1 7.64.0-4+deb10u2 Hi, The following vulnerability was published for curl, filling as RC so it appears on list of issues to be fixed before bullseye release. CVE-2021-22890[0]: | curl 7.63.0 to and including 7.75.0 includes vulnerability that allows | a malicious HTTPS proxy to MITM a connection due to bad handling of | TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl | can confuse session tickets arriving from the HTTPS proxy but work as | if they arrived from the remote server and then wrongly "short-cut" | the host handshake. When confusing the tickets, a HTTPS proxy can | trick libcurl to use the wrong session ticket resume for the host and | thereby circumvent the server TLS certificate check and make a MITM | attack to be possible to perform unnoticed. Note that such a malicious | HTTPS proxy needs to provide a certificate that curl will accept for | the MITMed server for an attack to work - unless curl has been told to | ignore the server certificate check. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-22890 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22890 [1] https://curl.se/docs/CVE-2021-22890.html Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: curl Source-Version: 7.74.0-1.2 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of curl, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 986...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated curl package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 03 Apr 2021 14:43:39 +0200 Source: curl Architecture: source Version: 7.74.0-1.2 Distribution: unstable Urgency: medium Maintainer: Alessandro Ghedini <gh...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 986269 986270 Changes: curl (7.74.0-1.2) unstable; urgency=medium . * Non-maintainer upload. * transfer: strip credentials from the auto-referer header field (CVE-2021-22876) (Closes: #986269) * vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() (CVE-2021-22890) (Closes: #986270) Checksums-Sha1: df4d0894e9e52b6bd581cc378e3828801dbf61d9 2822 curl_7.74.0-1.2.dsc 78e3d65bc63144c4cd7fa0da882e8c2583ca6c77 36160 curl_7.74.0-1.2.debian.tar.xz 0c4f545e2ed2e8f10b39c954ec123f0fb3c59a4b 12140 curl_7.74.0-1.2_amd64.buildinfo Checksums-Sha256: ea8253d4d649bef182b50a079aed7f2feb0e4e3530b65be08c904569d322e3e1 2822 curl_7.74.0-1.2.dsc deec4d2367597962e6ca679082775580add6aa92e0735f5cb7aa438196bda7fb 36160 curl_7.74.0-1.2.debian.tar.xz ef3608371140330f373c88e791966a55e4752dec9ae0a5aaf2164c9aa4327353 12140 curl_7.74.0-1.2_amd64.buildinfo Files: 7bf00c1a978fc82adf60f27bec55a46f 2822 web optional curl_7.74.0-1.2.dsc c31d9111199e552f95fdac8c72f212bf 36160 web optional curl_7.74.0-1.2.debian.tar.xz bb9b50b6e7e2fe9038a59c054b751ac2 12140 web optional curl_7.74.0-1.2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmBsU+NfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E18IP/AmwNMRBsg5BOHC0YaiKoiBzcA9mxc3L f5Q4CMv5X9SkLafv630+4wI5V5FsoSzp+KhDS26gpP+NjrHUQpwg9URVIAnr7iRH s3NycERwbzVD3xBgi4mZLo+0M68++cm+drcHnzsMZOQ+g43C8nxjgzQKGqqMlit7 Jmd0wU43DzpzwYAydlZCEyyNyEflkeoqhVEu0qIbtl8QsmBPniL+PYzPdDhasazh RvUfjXDOxURbp7cRA7RXVAZ9gtTYykx0TdKrtuPpMUr+vYDZ+wPOq4MXO0rDUJ6x 9eWW1tZoo7mHnZ1IT3KC/oBmIKlLhfn/Jxa5XSIunBlMr8J2jbCDz7Bazxir6b7G /I4WYlxQHhtH478G8PiviOYVI+Ta997jiRrVXNG0JCCh1N4zy/xC0Hb9IL2e5zcj t5IIKtzHRci+tsPzRTLh8njKRe84DyvW7I+T658EhHZLpgL9emlq/mnaWFZKL8y+ Ki6C8SrVqe+8mlx+OdohlRsBHE6ZR/K5gFCcMLeUel01+xtFiGw/F3P2fU9Xoo4i 29VPnukaUgcE/iQ2pJS+MTZ4zgaMidfknX7A792kQSYOzyZaw3Ex78NYvmYuRFw4 P+lQtTpn3g1XuOt6KLr+OxV30PjeGM7pRtT5lka8fYpWHk8wrLDWUw3m9ipKn/SY DzACV0tClxo1 =bK5o -----END PGP SIGNATURE-----
--- End Message ---
