Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 887745 (CVE-2022-43551, CVE-2022-43552)

Summary: <net-misc/curl-7.87.0: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system, kangie
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/29365
Whiteboard: A3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 887833, 888801    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-21 17:02:44 UTC
https://curl.se/docs/CVE-2022-43551.html: CVE-2022-43551: Another HSTS bypass via IDN
https://curl.se/docs/CVE-2022-43552.html: CVE-2022-43552: HTTP Proxy deny use-after-free

Please bump to 7.87.0.
Comment 1 Larry the Git Cow gentoo-dev 2022-12-21 23:09:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfb0e7f0d149103492b0dd1d687df8c55c6c9fca

commit dfb0e7f0d149103492b0dd1d687df8c55c6c9fca
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-21 23:08:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-21 23:09:18 +0000

    net-misc/curl: add 7.87.0
    
    Bug: https://bugs.gentoo.org/887745
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest           |   2 +
 net-misc/curl/curl-7.87.0.ebuild | 299 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 301 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2023-02-01 07:27:10 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70e478afca6ee420e77c320a37bbb6045b6a302e

commit 70e478afca6ee420e77c320a37bbb6045b6a302e
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-02-01 01:03:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-02-01 07:25:59 +0000

    net-misc/curl: drop 7.86.0-r3, 7.87.0-r1
    
    Drop vulnerable and obsolete.
    
    Closes: https://bugs.gentoo.org/887745
    Closes: https://bugs.gentoo.org/888801
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Closes: https://github.com/gentoo/gentoo/pull/29365
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest              |   2 -
 net-misc/curl/curl-7.86.0-r3.ebuild | 302 ------------------------------------
 net-misc/curl/curl-7.87.0-r1.ebuild | 301 -----------------------------------
 3 files changed, 605 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-02-20 18:36:54 UTC
Not to be closed!
Comment 4 Larry the Git Cow gentoo-dev 2023-10-11 08:41:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3dfe02046c2bc76fb7e910a04702603b72fcb98c

commit 3dfe02046c2bc76fb7e910a04702603b72fcb98c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-11 08:40:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-10-11 08:41:24 +0000

    [ GLSA 202310-12 ] curl: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/887745
    Bug: https://bugs.gentoo.org/894676
    Bug: https://bugs.gentoo.org/902801
    Bug: https://bugs.gentoo.org/906590
    Bug: https://bugs.gentoo.org/910564
    Bug: https://bugs.gentoo.org/914091
    Bug: https://bugs.gentoo.org/915195
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202310-12.xml | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)