[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: curl: CVE-2023-28322 and CVE-2023-27534

On Sat, Dec 16, 2023 at 10:39:08PM -0300, Samuel Henrique wrote:
> On Thu, 30 Nov 2023 at 06:36, Markus Koschany <apo@debian.org> wrote:
> > I have recently triaged CVE-2023-28322 and CVE-2023-27534 for curl as ignored
> > for Buster because I believe those are minor issues. Since you expressed
> > interest as the maintainer of curl to fix potential security vulnerabilities, I
> > am asking you for your assessment. Are you (or someone else reading the list)
> > interested in fixing those CVE?
> I have not had time to properly look at this yet, but I agree with not
> backporting the dynbuf functions for CVE-2023-27534 (at least from what I've
> seen so far).

I'd agree with that assessment.

For releases where it has been backported, I've added a link to a 
regression fix in the security tracker.[1]

> To give you a rough timeline for changes, my current priorities for curl right
> now are to get the fixes for CVE-2023-46218 and CVE-2023-46219 on all affected
> releases,

Regarding LTS, CVE-2023-46219 does not affect <= buster since 
CVE-2022-32207 was not present there.

> fix the ldap issue (#1057855) on unstable, and then come back to
> CVE-2023-27534 and CVE-2023-28322 (to be more confident on what to do).

For buster LTS I have now CVE-2023-28322 and CVE-2023-46218 fixed with [2]
and plan to upload that.

Please let me know if anything looks wrong about that.


[1] https://deb.freexian.com/extended-lts/tracker/CVE-2023-27534
[2] https://salsa.debian.org/debian/curl/-/commit/ab0405fcd6b2bf5fa5b3aa338da4689d0d6ca617

Reply to: