curl / curl-container

curl images
MIT License
61 stars 12 forks source link

Critical vulnerability CVE-2024-5535 in alpine/openssl 3.1.5-r0 version packaged in curlimages/curl:8.8.0 #60

Open barkhachoithani opened 1 month ago

barkhachoithani commented 1 month ago

Critical vulnerability CVE-2024-5535 is fixed in alpine/openssl version 3.1.6-r0 or higher. Please see https://build.alpinelinux.org/buildlogs/build-3-19-s390x/main/openssl/openssl-3.1.6-r2.log https://security.snyk.io/vuln/SNYK-ALPINE319-OPENSSL-7413523

curl image should be updated with the latest/stable version of alpine/openssl.

dfandrich commented 1 month ago

The OpenSSL project considers this so low a priority that they're not even issuing a new release to fix it. Do you see this as particularly bad problem with curl?

bagder commented 1 month ago

Also, curl does not use the affected function so the mentioned OpenSSL CVE cannot be triggered by curl.

barkhachoithani commented 1 month ago

The OpenSSL project considers this so low a priority that they're not even issuing a new release to fix it. Do you see this as particularly bad problem with curl?

Yes, OpenSSL considers it as low however image scan results says it's critical. https://scout.docker.com/vulnerabilities/id/CVE-2024-5535/ https://github.com/advisories/GHSA-4fc7-mvrr-wv2c. alpine/openssl has a fix version.

dfandrich commented 1 month ago

If curl can't trigger the vulnerability then it's even less than low—it's zero.

xquery commented 1 month ago

for reasons explained above an out of band release is not needed in this case - this will get fixed when we do the next curl release.