Puppy Linux Discussion Forum

This just found tonite, dated 3/31/21...

"curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake."

Folks with Curl using TLS1.3 should update curl.
So should the rest of us...

"curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request."

Regards
8Geee

Thanks, 8Geee for the post. Publisher's of Puppies take notice that an even shorter version of that short post is that curl should be updated for PROBABLY all Puppy versions because curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM --which I take to mean "man in the middle"-- and curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials.

My Bionicpup64 came with 7.58.0 release date 2018-01-24 per terminal command "curl --version".

Is updating as easy as downloading an updated version from a repo and installing? or does curl have dependencies which must be met? or will such a simple the install of an updated version break something?

This was addressed to Publisher's are their providing updates would be much more efficient than thousands of Puppy Fans doing 'home-brews'.

curl / Download
https://curl.se/download.html

Has about anyway you want to get it.
Each main stream version of Linux has a package specific for them.
So, for Bionicpup, the one for Ubuntu Bionic should work.

Hi bigpup,

Unless I missed something, while the website you linked to does provide packages, I didn't see anything to indicate that the packages provided were "patched". In other words, for example, the curl 7.58.0 for Bionic is the same 7.58.0 available since 2018 and does not address the vulnerabilities 8Geee pointed out. Further, as far as I can tell, as yet neither the publishers at that site, nor Ubuntu, nor debian --whose libraries are often used by Ubuntu or can be used by 'Ubuntu users', including 'Ubuntu-compatible' Puppy version User-- have published a curl 7.76 version; one which does address those vulnerabilities.

Which leads to several other questions. As someone who doesn't compile, in order to build applications requiring libraries I've occasionally foraged at https://pkgs.org/ which provides a Search box and links to the repositories of many 'Major Distros'. Very often the difference between a package from one distro and that from another is merely how it's been packaged: i.e., assembled to be used by a specific package manager. Under Puppys, the package can be decompressed and the actual library or binary used. But not always. Sometimes a binary or library has been compiled with reference to other binaries or libraries of that distro: attempts to employ it in a different distro fail.

The 32-bit/64-bit dichotomy always must be considered. But other than that, is it possible to use the curl compiled for a different distro --or with regard to Puppys, a non-binary-compatible distro? I note, for example, that curl 7.76 has been published for both Slackware 64 and Slackware 32-bit systems.

If an updated library relating to security can be employed across distros, shouldn't a pet be provided via a link in the Additional Software>Security Section?

Probably are going to have to use the source files, at the top of the web page, and compile for a specific Puppy version.

ScPup64-21.04 has curl 7.76 and the required glibc 2.33. Earlier ScPup64 versions have glibc 2.30 which will not allow slackware current64's curl 7.76 package to work.

I didn't myself know about this curl vulnerability, but since checked my WDL_Arch54 system, which turns out uses:

[root@bootstrap ~]# curl --version
curl 7.76.0 (x86_64-pc-linux-gnu) libcurl/7.76.0 OpenSSL/1.1.1j zlib/1.2.11 zstd/1.4.8 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh2/1.9.0 nghttp2/1.41.0
Release-Date: 2021-03-31

It's a rolling release distro.

I wonder if my new QuickPup 21.00 can fetch that update from slackware current via newly improved updates_mgr?

I compiled curl 7.76.0 for glibc 2.30 for older ScPup64 versions (21.01, 20.06, 20.01)
see: viewtopic.php?p=21946#p21946

Slackware 14.2 has updated to 7.76 and is probably quite widely applicable as it uses glibc-2.23 ....

http://slackware.cs.utah.edu/pub/slackw ... ck14.2.txz

http://slackware.cs.utah.edu/pub/slackw ... ck14.2.txz

Latest curl update is now included on QuickPup 21.01

So how do I, in slacko-5.7, get to at least glibc2.23... OpenSSL1.1.1* requires glibc2.25 with calls to 2.17 and 2.16.
I would like to keep AtomicPup useable for FTP purposes, now that all browsers no longer support it

Thanks and regards
8Geee