From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id GKOMJrkkZ2A+NQAAgWs5BA (envelope-from ) for ; Fri, 02 Apr 2021 16:05:45 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id KIdNIbkkZ2AkLwAAbx9fmQ (envelope-from ) for ; Fri, 02 Apr 2021 14:05:45 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E18E9200F3 for ; Fri, 2 Apr 2021 16:05:44 +0200 (CEST) Received: from localhost ([::1]:33652 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSKQh-00032X-0j for larch@yhetil.org; Fri, 02 Apr 2021 10:05:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56606) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSKQ3-00032Q-32 for bug-guix@gnu.org; Fri, 02 Apr 2021 10:05:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:49249) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSKQ2-0001Z4-S8 for bug-guix@gnu.org; Fri, 02 Apr 2021 10:05:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lSKQ2-00066S-LZ for bug-guix@gnu.org; Fri, 02 Apr 2021 10:05:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#47563: curl is vulnerable to CVE-2021-22890 and CVE-2021-22876 Resent-From: =?UTF-8?Q?L=C3=A9o?= Le Bouter Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 02 Apr 2021 14:05:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47563 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 47563@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161737228523430 (code B ref -1); Fri, 02 Apr 2021 14:05:02 +0000 Received: (at submit) by debbugs.gnu.org; 2 Apr 2021 14:04:45 +0000 Received: from localhost ([127.0.0.1]:60793 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSKPk-00065q-PS for submit@debbugs.gnu.org; Fri, 02 Apr 2021 10:04:45 -0400 Received: from lists.gnu.org ([209.51.188.17]:35248) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSKPi-00065i-Ij for submit@debbugs.gnu.org; Fri, 02 Apr 2021 10:04:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56542) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSKPi-00031e-EK for bug-guix@gnu.org; Fri, 02 Apr 2021 10:04:42 -0400 Received: from mail.zaclys.net ([178.33.93.72]:39769) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSKPg-0001Hk-0k for bug-guix@gnu.org; Fri, 02 Apr 2021 10:04:42 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 132E4Zkg037813 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Fri, 2 Apr 2021 16:04:36 +0200 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 132E4Zkg037813 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1617372276; bh=wZ+tkaesp+8zpA8DIG5w4c+Rx0qmVIjtylJWYTtu5xI=; h=Subject:From:To:Date:From; b=F8y12PCB3mz+mhQPIKB5fBmzetjxCx2C88lxlBTOfbQQDzD72srqy/7yhQ7pmYOWD kA6g/qfGxgQLNfyPvAIBFpOk34cn39fy/ogazcdwZYFGORMVh9lMCtTcuX4Tkb7W+e TzJ5EyYgdmwPNHZmc7ztgirxUU29wccrtt3z346Q= Message-ID: <3f93f64c692d9e0604aa406a735d81084443b692.camel@zaclys.net> Date: Fri, 02 Apr 2021 16:04:31 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-mOK1+BCSGvsyQnPFj8Cj" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" Reply-to: =?UTF-8?Q?L=C3=A9o?= Le Bouter From: =?UTF-8?Q?L=C3=A9o?= Le Bouter via Bug reports for GNU Guix X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617372345; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=wZ+tkaesp+8zpA8DIG5w4c+Rx0qmVIjtylJWYTtu5xI=; b=jkVcANcQ0GaSDzxg/nD341aPEtRXMtt6o+ScFuQ8SKAGA1sPWby0xoRm/10V5Ltqmzpgni Vfp3UdWFVWy8snGr9/aRpAlRwJgIgiIgCGQfKRrKYfhP+Mvw0ZH0EJFLaNlXMHS72+KelE nQyTCKu0U1ADTPuztM+jt/IMx7wfeW5MNwmSHmh1lS3dmqoroblkOG78gYphiJfQAogoSS tZasUuulf8l8JLJgs+egMlLQTp14MLzp5sr0b6lobIR3GdestcACFwlTYv1schWHkJqYAZ 4kqlzGZ+K52dV39CutmWKWipxo37/2HOpJ1xN+Eka7JmdOTrnSgzh2MRTOdU9g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617372345; a=rsa-sha256; cv=none; b=GFQqC7NpzzQZbBSj+L5DG/rTptWtgiqgfB38Sbqcc7UlxdMvIq166toGppW3lfGrIs4Zf0 HHFNH8LGlD82j4O5ygbVRVBsOkYxRDNmw4xz0pC3B0amcPQt/U387FQnxxqgk/lKE/mv/5 +UD4NyCSIqzaCn0VdSI+bqMfLewx3+nr7eaGiWKqjhIdhOMNup/27HQiyBQnzCAKnFP8q5 0V/DM9t4lhqohlJqkKaupZhG74XhhUIxaGw8WNYTbRlAGArSM30cU1UZIhJj5olHBjb1Y6 FXZX06q+9g5rwy1rsvlWWkc+YvnrKBOZnjDWqksPgLcQbnjCFzxHq8HZsw4JGA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=F8y12PCB; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -3.53 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=zaclys.net header.s=default header.b=F8y12PCB; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: E18E9200F3 X-Spam-Score: -3.53 X-Migadu-Scanner: scn0.migadu.com X-TUID: emanAvecUBHl --=-mOK1+BCSGvsyQnPFj8Cj Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable CVE-2021-22890 01.04.21 20:15 curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check. CVE-2021-22876 01.04.21 20:15 curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. A WIP patch will follow, please help finishing it (rebase curl-CVE- 2021-22890.patch on 7.74.0). --=-mOK1+BCSGvsyQnPFj8Cj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBnJG8ACgkQRaix6GvN EKav4w/+PCzpWxHBBYPmiJMIFWyKXCYkd9Bt+gEOmrqIDhugxWhOOnHMjLhQieHt 675f4YwieeObGpDBmFyzCzFqshquZle5/Um7ECmvo8wQlRJiEiwYzQFrnt2NLCTo PLc0yQAUCkGv/X9XS2DROhwtibqJUmCXurQlxbnDiLQqcFruI1DedYHYVjRcUsOd EBqzJT8WNmiklE1psVQDuc28Ui05eElhW9ZNLLZFVDyAnad1iWU+FoAfojTz/TDX UavvHZ7ylvc800f1KJV97QSSBCLmqMER/3AktfKB3WiFDZT1BeL0fI1IlJLIcStk eKW3nWqfs2RV6k/iwK3Cyzj+DUHfQtj3YV6vLAKiHWljhyGqQjsEyXcKor6K3oz0 G2dxru+tmyCDJ9Qxo1GmQpVbppmjgA+bTIK22D84f9/j1aicfRR81eSXG3fshUSV 7W7LK76kG/jW6UBx3RBW+GVRwnj/kfwGaP3MhpXzWqrFgkFYXzWgFt8qZi+sU5tC JUODKSvFu30RlI7EOfiBI9KxA6Xv3dWrKV5S60xaLyRDd4EKUzz1MFLOk+NNKZSm e3kQD7e60G0d68LqVKtUC3HHiY+cDdZFZbGrPeCRwcAntiNU2QLS667dQ62B7Yjl atBEUgmU2pkfjJT+CnaM6q1PzWqB7NEsqlvoEnefYxfmS5/TcR4= =5xPw -----END PGP SIGNATURE----- --=-mOK1+BCSGvsyQnPFj8Cj--