risicle
commented
8 months ago Add to this CVE-2024-27099
Closed carnil closed 8 months ago
risicle
commented
8 months ago Add to this CVE-2024-27099
kashifkhan
commented
8 months ago Hi @carnil and @risicle .. Ill be putting out an update with the fix for this shortly. Ill update this thread once it hit pypi
kashifkhan
commented
8 months ago Ive gone ahead and pushed out a new update to pypi
mr-c
commented
8 months ago Thank you @kashifkhan ;
Isn't https://github.com/Azure/azure-uamqp-c/commit/2ca42b6e4e098af2d17e487814a91d05f6ae4987 also needed? In Debian, we applied that for CVE-2024-27099 (though I still don't have a way of testing to see if the vulnerability associated with the CVEs is still present)
Specifically
--- azure-uamqp-python.orig/src/vendor/azure-uamqp-c/src/link.c
+++ azure-uamqp-python/src/vendor/azure-uamqp-c/src/link.c
@@ -413,9 +413,9 @@
}
}
}
- }
- flow_destroy(flow_handle);
+ flow_destroy(flow_handle);
+ }
}
else if (is_transfer_type_by_descriptor(descriptor))
{I'm not sure @mr-c , but Ill work on getting that added in as well.
Hi
TTBOMK the embedded azure-uamqp- copy does not contain the fixes for CVE-2024-25110 (see: https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-c646-4whf-r67v).
Changes: https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695
is this correct?