887745 – (CVE-2022-43551, CVE-2022-43552) <net-misc/curl-7.87.0: multiple vulnerabilities

Bug 887745 (CVE-2022-43551, CVE-2022-43552) - <net-misc/curl-7.87.0: multiple vulnerabilities

Summary: <net-misc/curl-7.87.0: multiple vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2022-43551, CVE-2022-43552

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa?]
Keywords:	PullRequest

Depends on:	887833 888801
Blocks:
	Show dependency tree

Reported:	2022-12-21 17:02 UTC by John Helmert III
Modified:	2023-02-20 18:36 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/29365
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-12-21 17:02:44 UTC

https://curl.se/docs/CVE-2022-43551.html: CVE-2022-43551: Another HSTS bypass via IDN
https://curl.se/docs/CVE-2022-43552.html: CVE-2022-43552: HTTP Proxy deny use-after-free

Please bump to 7.87.0.

Comment 1 Larry the Git Cow gentoo-dev

2022-12-21 23:09:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfb0e7f0d149103492b0dd1d687df8c55c6c9fca

commit dfb0e7f0d149103492b0dd1d687df8c55c6c9fca
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-21 23:08:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-21 23:09:18 +0000

    net-misc/curl: add 7.87.0
    
    Bug: https://bugs.gentoo.org/887745
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest           |   2 +
 net-misc/curl/curl-7.87.0.ebuild | 299 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 301 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2023-02-01 07:27:10 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70e478afca6ee420e77c320a37bbb6045b6a302e

commit 70e478afca6ee420e77c320a37bbb6045b6a302e
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-02-01 01:03:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-02-01 07:25:59 +0000

    net-misc/curl: drop 7.86.0-r3, 7.87.0-r1
    
    Drop vulnerable and obsolete.
    
    Closes: https://bugs.gentoo.org/887745
    Closes: https://bugs.gentoo.org/888801
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Closes: https://github.com/gentoo/gentoo/pull/29365
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest              |   2 -
 net-misc/curl/curl-7.86.0-r3.ebuild | 302 ------------------------------------
 net-misc/curl/curl-7.87.0-r1.ebuild | 301 -----------------------------------
 3 files changed, 605 deletions(-)

Comment 3 John Helmert III archtester

2023-02-20 18:36:54 UTC

Not to be closed!