Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

update: curl #1511

Closed
dongsupark opened this issue Aug 6, 2024 · 0 comments · Fixed by flatcar/scripts#2227
Closed

update: curl #1511

dongsupark opened this issue Aug 6, 2024 · 0 comments · Fixed by flatcar/scripts#2227
Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns

Comments

@dongsupark
Copy link
Member

dongsupark commented Aug 6, 2024
edited
Loading

Name: curl
CVEs: CVE-2024-7264
CVSSs: 6.5
Action Needed: update to >= 8.9.1

Summary: libcurl's ASN1 parser code has the GTime2str() function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a strlen() getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.

refmap.gentoo: https://bugs.gentoo.org/937125
@dongsupark dongsupark added security security concerns advisory security advisory labels Aug 6, 2024
@dongsupark dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Aug 6, 2024
@krnowak krnowak mentioned this issue Aug 13, 2024
Merged
2 tasks
@github-actions github-actions bot mentioned this issue Aug 22, 2024
Closed
@dongsupark dongsupark added the cvss/MEDIUM >= 4 && < 7 assessed CVSS label Sep 5, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
advisory security advisory cvss/MEDIUM >= 4 && < 7 assessed CVSS security security concerns
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Weekly portage-stable package updates 2024-08-12 flatcar/scripts
1 participant
@dongsupark