This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of fedora-all. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate.
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=medium # testing, stable request=testing # Bug numbers: 1234,9876 bugs=2077547,2079169 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new
FEDORA-2022-fc5776b142 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc5776b142
FEDORA-2022-411f088574 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-411f088574
FEDORA-2022-3517572083 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-3517572083
FEDORA-2022-fc5776b142 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-fc5776b142` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-fc5776b142 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-411f088574 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-411f088574` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-411f088574 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-3517572083 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-3517572083` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-3517572083 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
We have noticed that CVE-2022-27774 backports for f34 and f35 are missing one of the patches. According to https://curl.se/docs/CVE-2022-27774.html there are two commits fixing the CVE. Only https://github.com/curl/curl/commit/620ea21410030a997 is included in https://src.fedoraproject.org/rpms/curl/blob/f35/f/0005-curl-7.82.0-CVE-2022-27774.patch The https://github.com/curl/curl/commit/139a54ed0a172ada seems to be missing.
Created attachment 1876153 [details] CVE-2022-27774 patch 2 for 7.76.1
Created attachment 1876154 [details] CVE-2022-27774 patch 2 for 7.79.1
FYI I have attached 2 patches we use on top of f34 and f35 in case those would be useful. For curl 7.76.1 the cherry-pick was with conflicts, so please re-review if you'd use the patch.
Indeed. I have missed the SRP follow-up. Thank you for pointing it out!
FEDORA-2022-3517572083 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-3d8f00cde2 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-3d8f00cde2` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-3d8f00cde2 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-8277bef335 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-8277bef335` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-8277bef335 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-3d8f00cde2 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2022-8277bef335 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.