bagder
commented
3 years ago FYI: curl does not use any of the functions that were reported to have those OpenSSL flaws.
Closed pboushy closed 3 years ago
bagder
commented
3 years ago FYI: curl does not use any of the functions that were reported to have those OpenSSL flaws.
xquery
commented
3 years ago +1 to what @bagder said - also considering an interim release (to include support for http3) will address this there - thanks for letting us know!
pboushy
commented
3 years ago It’s be awesome if things like trivy and other vulnerability scanners could be updated to detect that kind of stuff but unfortunately, they’re all based around what packages are installed. Thank you for replying so quickly.
xquery
commented
3 years ago this was addressed with alpine 3.12.4 ... we are now on 3.12.7
The currently published curl-docker:7.75.0 contains libcrypto and libssl 1.1.1i-r0 which is vulnerable to CVE-2021-23840. Can you please rebuild/publish the current code? Alpine updated their repos with libssl and libcrypto 1.1.1j-r0