curl-container icon indicating copy to clipboard operation
curl-container copied to clipboard
verified publisher icon curl

Critical vulnerability CVE-2024-5535 in alpine/openssl 3.1.5-r0 version packaged in curlimages/curl:8.8.0

Open barkhachoithani opened this issue 1 year ago • 5 comments

Critical vulnerability CVE-2024-5535 is fixed in alpine/openssl version 3.1.6-r0 or higher. Please see https://build.alpinelinux.org/buildlogs/build-3-19-s390x/main/openssl/openssl-3.1.6-r2.log https://security.snyk.io/vuln/SNYK-ALPINE319-OPENSSL-7413523

curl image should be updated with the latest/stable version of alpine/openssl.

barkhachoithani avatar Jul 11 '24 19:07 barkhachoithani

The OpenSSL project considers this so low a priority that they're not even issuing a new release to fix it. Do you see this as particularly bad problem with curl?

dfandrich avatar Jul 11 '24 20:07 dfandrich

Also, curl does not use the affected function so the mentioned OpenSSL CVE cannot be triggered by curl.

bagder avatar Jul 11 '24 21:07 bagder

The OpenSSL project considers this so low a priority that they're not even issuing a new release to fix it. Do you see this as particularly bad problem with curl?

Yes, OpenSSL considers it as low however image scan results says it's critical. https://scout.docker.com/vulnerabilities/id/CVE-2024-5535/ https://github.com/advisories/GHSA-4fc7-mvrr-wv2c. alpine/openssl has a fix version.

barkhachoithani avatar Jul 11 '24 21:07 barkhachoithani

If curl can't trigger the vulnerability then it's even less than low—it's zero.

dfandrich avatar Jul 11 '24 23:07 dfandrich

for reasons explained above an out of band release is not needed in this case - this will get fixed when we do the next curl release.

xquery avatar Jul 12 '24 06:07 xquery