Critical curl vulnerabilities - Githubissues

docker-library / httpd

Docker Official Image packaging for Apache HTTP Server

https://httpd.apache.org

Apache License 2.0

309 stars 347 forks source link

Critical curl vulnerabilities #226

Closed walter-heestermans-toyota closed 1 year ago

walter-heestermans-toyota commented 1 year ago

Inside the docker official images 2.4.4 and 2.4.5 we see some critical and high vulnerabilties, can you fix.

+----------------+----------+------+-------------+-------------------------+--------+------------+------------+----------------------------------------------------+ | CVE | SEVERITY | CVSS | PACKAGE | VERSION | STATUS | PUBLISHED | DISCOVERED | DESCRIPTION | +----------------+----------+------+-------------+-------------------------+--------+------------+------------+----------------------------------------------------+ | CVE-2022-32221 | critical | 9.80 | curl | 7.74.0-1.3+deb11u3 | open | 43 days | < 1 hour | When doing HTTP(S) transfers, libcurl | | | | | | | | | | might erroneously use the read callback | | | | | | | | | | (CURLOPT_READFUNCTION) to ask for data to send, | | | | | | | | | | even when the `CURLOPT... | +----------------+----------+------+-------------+-------------------------+--------+------------+------------+----------------------------------------------------+ | CVE-2022-43551 | high | 7.50 | curl | 7.74.0-1.3+deb11u3 | open | 25 days | < 1 hour | A vulnerability exists in curl <7.87.0 HSTS | | | | | | | | | | check that could be bypassed to trick it to keep | | | | | | | | | | using HTTP. Using its HSTS support, curl can be | | | | | | | | | | instructe... | +----------------+----------+------+-------------+-------------------------+--------+------------+------------+----------------------------------------------------+ | CVE-2022-42916 | high | 7.50 | curl | 7.74.0-1.3+deb11u3 | open | 81 days | < 1 hour | In curl before 7.86.0, the HSTS check could be | | | | | | | | | | bypassed to trick it into staying with HTTP. Using | | | | | | | | | | its HSTS support, curl can be instructed to use | | | | | | | | | | HTTP...

tianon commented 1 year ago

https://security-tracker.debian.org/tracker/CVE-2022-32221: not fixed in Debian stable releases (not much we can do here)
https://security-tracker.debian.org/tracker/CVE-2022-43551: [bullseye] - curl <ignored> (curl is not built with HSTS support) (won't be fixed in Debian because it isn't vulnerable)
https://security-tracker.debian.org/tracker/CVE-2022-42916: [bullseye] - curl <ignored> (curl is not built with HSTS support) (won't be fixed in Debian because it isn't vulnerable)

tianon commented 1 year ago

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves