Package curl updated to version 8.3.0-alt1 for branch p10 in task 329789.

Published: 2023-06-27

BDU:2023-04304

Уязвимость функции fopen() библиотеки libcurl, связанная с ошибками управления состоянием, позволяющая нарушителю создать или перезаписать защищенные файлы

Severity: MEDIUM (5.5) Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

References:

CVE-2023-32001

Published: 2023-07-17

BDU:2023-05819

Уязвимость интерфейса утилиты командной строки cURL, позволяющая нарушителю вызвать отказ в обслуживании

Severity: HIGH (8.8) Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References:

CVE-2023-38039

Published: 2023-07-27
Modified: 2023-11-07

CVE-2023-32001

Rejected reason: We issued this CVE pre-maturely, as we have subsequently realized that this issue points out a problem that there really is no safe measures around or protections for.

Published: 2023-09-15
Modified: 2024-11-21

CVE-2023-38039

When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit in how many or how large headers it would accept in a response, allowing a malicious server to stream an endless series of headers and eventually cause curl to run out of heap memory.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Version: 2.1.0

Package curl update in p10 on 2023-10-10

ALT-PU-2023-5711-3

Closed vulnerabilities

BDU:2023-04304

BDU:2023-05819

CVE-2023-32001

CVE-2023-38039