fluent-package-builder icon indicating copy to clipboard operation
fluent-package-builder copied to clipboard
verified publisher icon fluent

HIGH CVE's on openssl-3.1.0 CVE-2023-0464, CVE-2023-4807, CVE-2023-5363

Open chaitrahegde115 opened this issue 1 year ago • 2 comments

Hi, Below CVE's are reported in 5.0.2 fluent-package-builder openssl gem(/opt/fluent/lib/ruby/gems/3.2.0/specifications/default/openssl-3.1.0.gemspec). CVE-2023-0464, CVE-2023-4807, CVE-2023-5363. Let me know if these CVE's have any impact on openssl ruby gem.

chaitrahegde115 avatar Mar 25 '24 05:03 chaitrahegde115

It seems that it is a library side CVE, not ruby gem.

https://security-tracker.debian.org/tracker/CVE-2023-0464 https://security-tracker.debian.org/tracker/CVE-2023-4807 https://security-tracker.debian.org/tracker/CVE-2023-5363

At least about debian, it seems that these CVE was already fixed so If you update to latest one, it does not affect.

RHEL or other distribution, need to check it.

kenhys avatar Mar 25 '24 05:03 kenhys

https://access.redhat.com/errata/RHSA-2023:3722 CVE-2023-0464 https://access.redhat.com/errata/RHSA-2024:0310 CVE-2023-5363

CVE-2023-4807 may be windows specific and it says:

However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue.

ref. https://security-tracker.debian.org/tracker/CVE-2023-4807

kenhys avatar Mar 25 '24 06:03 kenhys