httpd:2.4.58 - CVE-2023-38545

[adadande]

httpd:2.4.58

have Vulnerable library of libcurl command inside container $ strings /usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0 |fgrep 'CLIENT libcurl ' Output: CLIENT libcurl 7.88.1 CLIENT libcurl 7.88.1 CLIENT libcurl 7.88.1 https://nvd.nist.gov/vuln/detail/CVE-2023-38545 any update for patch release for the fix on the above CVE

[yosifkit]

This is already fixed in Debian's Bookworm packages that are installed in the image. Compare the fixed versions listed in https://security-tracker.debian.org/tracker/CVE-2023-38545 to the version installed:

$ docker run -it --rm httpd:2.4 bash
Unable to find image 'httpd:2.4' locally
/usr/bin/docker-credential-desktop.exe: Invalid argument
2.4: Pulling from library/httpd
af107e978371: Already exists
eba4da411ea0: Pull complete
4f4fb700ef54: Pull complete
ed4d6291a6c2: Pull complete
b42c390e1de9: Pull complete
eafe388a0bb8: Pull complete
Digest: sha256:f0a93744d8006e6f7ee5086c9ddccdcfa33d1091f15269a00547b4c382459c1f
Status: Downloaded newer image for httpd:2.4
root@6bf642d36e77:/usr/local/apache2# dpkg -l | grep curl
ii  libcurl4:amd64            7.88.1-10+deb12u4              amd64        easy-to-use client-side URL transfer library (OpenSSL flavour)

Debian and most Linux distributions often backports fixes (to have more stable releases) so the version inside the binary cannot be used to compare to CVE listings. Any CVE analyzer tool needs take into account the backported versions posted on places like https://security-tracker.debian.org/tracker/.

[adadande]

Can we get the list of files updated files/directories in the provided patch 7.88.1-10+deb12u4 / 7.88.1-10+deb12u5 Basically a command to get list of files modified or all list of files in the provided patch

alike linux has commnd rpm -ql bash which list the directories in the package.

[tianon]

You mean like dpkg -L?

[adadande]

Here we are reaching out to bring to your attention a critical issue [CVE-2023-38545] that requires immediate attention. It has come to our notice that the recent fixes implemented in Debian as mentioned on tracker (https://security-tracker.debian.org/tracker/CVE-2023-38545) have not yet been updated in the National Vulnerability Database (NVD).

This lack of synchronization poses a potential risk to our system's security, as the NVD is a crucial resource for assessing and addressing vulnerabilities. The timely update of security information is paramount to ensuring the integrity and safety of our systems.

I kindly request your assistance in expediting the process of updating the Debian fixes in the NVD database. It is essential that the latest information is made available to the security community and organizations relying on this database for vulnerability management.

[LaurentGoderre]

@adadande as you can see from the sources below, the debian libcurl versions have been patched and are therefore not affected by this:

https://security-tracker.debian.org/tracker/CVE-2023-38545

[adadande]

@LaurentGoderre
As part of our organization's security measures, we regularly conduct security scans using the National Vulnerability Database (NVD). We have noticed that the NVD database used by Debian may not be up to date with the latest vulnerabilities. specifically with CVE-2023-38545 we can see the fix in Debian Tracker: https://security-tracker.debian.org/tracker/CVE-2023-38545

Keeping our systems secure is of utmost importance to us, and having the most recent vulnerability information is crucial for effective security scans.

Therefore, we kindly request that you consider updating the NVD database for Debian to ensure that it reflects the latest vulnerabilities. This update will not only benefit our organization but will also contribute to the overall security of the Debian user community.

We understand the challenges and efforts involved in maintaining such databases, and we sincerely appreciate your dedication to ensuring the security of Debian. If there are any specific procedures or information required from our end to facilitate this update, please let us know, and we will be more than happy to assist.

Thank you for your time and attention to this matter. We look forward to continuing our collaboration with the Debian Security Team for a safer computing environment.

Regards Amar Adadande

[LaurentGoderre]

@adadande the NVD database and the debian tracker are independent from each other and we don't maintain either. What is important is that if you are using an up-to-date version of Debian Bookworm, the version of libcurl is patched and doesn't have this CVE anymore. Docker Hub and Docker Scout are correctly reporting the CVEs.