Multiple CVEs in cURL <7.88.0 Reproducible: Always
See (though there's not much info): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23914 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23915 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23916 cURL 7.88.0 is currently masked due to HTTP/2 issues. I'll keep an eye on upstream and either apply patches to unmask or bump the package if there's a new release.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04f8286d4a957947b08a02402a6ca6c8f949e26e commit 04f8286d4a957947b08a02402a6ca6c8f949e26e Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-02-16 10:14:47 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-02-17 05:09:07 +0000 net-misc/curl: add 7.88.0-r1 * Add HTTP/2 patchset * Add test fix patchset Bug: https://bugs.gentoo.org/894676 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/curl-7.88.0-r1.ebuild | 298 ++++++++++++++++++++++++++++ net-misc/curl/files/curl-7.88.0-http2.patch | 93 +++++++++ net-misc/curl/files/curl-7.88.0-tests.patch | 120 +++++++++++ 3 files changed, 511 insertions(+)
Thanks!