CVE-2022-32221 in bundled curl library

cern-fts / davix

High-performance file management over WebDAV / HTTP

GNU Lesser General Public License v2.1

83 stars 34 forks source link

Closed ellert closed 1 year ago

ellert commented 1 year ago

Affected versions: libcurl 7.7 to and including 7.85.0 Not affected versions: libcurl < 7.7 and >= 7.86.0

davix bundles 7.69.0

The bundled library is used in the EPEL 7 and EPEL 8 builds, because the system version is too old. EPEL 9 and Fedora uses the system version.

I have backported the commit fixing the CVE (a one line patch) to the packages in EPEL 7 and EPEL 8.

mpatrascoiu commented 1 year ago

Hello,

Thank you for doing that! I'll end up applying the same EPEL fix during the CMake BuildCurlBundled target.

For this repository, I don't want to apply it via a specfile patch as it will do it on all platforms.

Thanks again for handling this on EPEL!

Cheers, Mihai

mpatrascoiu commented 1 year ago

Thank you again for reporting and patching this for EPEL. The issue has been addressed here as well.

The next Davix release (v0.8.4) brings the fix for both the upstream and the EPEL version.

Cheers, Mihai