887745 – (CVE-2022-43551, CVE-2022-43552) <net-misc/curl-7.87.0: multiple vulnerabilities

Bug 887745 (CVE-2022-43551, CVE-2022-43552) - <net-misc/curl-7.87.0: multiple vulnerabilities

Summary: <net-misc/curl-7.87.0: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2022-43551, CVE-2022-43552

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+]
Keywords:	PullRequest

Depends on:	887833 888801
Blocks:
	Show dependency tree

Reported:	2022-12-21 17:02 UTC by John Helmert III
Modified:	2023-10-17 12:20 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/29365
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-12-21 17:02:44 UTC

https://curl.se/docs/CVE-2022-43551.html: CVE-2022-43551: Another HSTS bypass via IDN
https://curl.se/docs/CVE-2022-43552.html: CVE-2022-43552: HTTP Proxy deny use-after-free

Please bump to 7.87.0.

Comment 1 Larry the Git Cow gentoo-dev

2022-12-21 23:09:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dfb0e7f0d149103492b0dd1d687df8c55c6c9fca

commit dfb0e7f0d149103492b0dd1d687df8c55c6c9fca
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-21 23:08:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-21 23:09:18 +0000

    net-misc/curl: add 7.87.0
    
    Bug: https://bugs.gentoo.org/887745
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest           |   2 +
 net-misc/curl/curl-7.87.0.ebuild | 299 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 301 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2023-02-01 07:27:10 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=70e478afca6ee420e77c320a37bbb6045b6a302e

commit 70e478afca6ee420e77c320a37bbb6045b6a302e
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-02-01 01:03:02 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-02-01 07:25:59 +0000

    net-misc/curl: drop 7.86.0-r3, 7.87.0-r1
    
    Drop vulnerable and obsolete.
    
    Closes: https://bugs.gentoo.org/887745
    Closes: https://bugs.gentoo.org/888801
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Closes: https://github.com/gentoo/gentoo/pull/29365
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest              |   2 -
 net-misc/curl/curl-7.86.0-r3.ebuild | 302 ------------------------------------
 net-misc/curl/curl-7.87.0-r1.ebuild | 301 -----------------------------------
 3 files changed, 605 deletions(-)

Comment 3 John Helmert III archtester

2023-02-20 18:36:54 UTC

Not to be closed!

Comment 4 Larry the Git Cow gentoo-dev

2023-10-11 08:41:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3dfe02046c2bc76fb7e910a04702603b72fcb98c

commit 3dfe02046c2bc76fb7e910a04702603b72fcb98c
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-10-11 08:40:59 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-10-11 08:41:24 +0000

    [ GLSA 202310-12 ] curl: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/887745
    Bug: https://bugs.gentoo.org/894676
    Bug: https://bugs.gentoo.org/902801
    Bug: https://bugs.gentoo.org/906590
    Bug: https://bugs.gentoo.org/910564
    Bug: https://bugs.gentoo.org/914091
    Bug: https://bugs.gentoo.org/915195
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202310-12.xml | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)