HIGH CVE's on openssl-3.1.0 CVE-2023-0464, CVE-2023-4807, CVE-2023-5363

fluent / fluent-package-builder

td-agent (Fluentd) Building and Packaging System

Apache License 2.0

22 stars 26 forks source link

HIGH CVE's on openssl-3.1.0 CVE-2023-0464, CVE-2023-4807, CVE-2023-5363 #635

Closed chaitrahegde115 closed 1 week ago

chaitrahegde115 commented 6 months ago

Hi, Below CVE's are reported in 5.0.2 fluent-package-builder openssl gem(/opt/fluent/lib/ruby/gems/3.2.0/specifications/default/openssl-3.1.0.gemspec). CVE-2023-0464, CVE-2023-4807, CVE-2023-5363. Let me know if these CVE's have any impact on openssl ruby gem.

kenhys commented 6 months ago

It seems that it is a library side CVE, not ruby gem.

https://security-tracker.debian.org/tracker/CVE-2023-0464 https://security-tracker.debian.org/tracker/CVE-2023-4807 https://security-tracker.debian.org/tracker/CVE-2023-5363

At least about debian, it seems that these CVE was already fixed so If you update to latest one, it does not affect.

RHEL or other distribution, need to check it.

kenhys commented 6 months ago

https://access.redhat.com/errata/RHSA-2023:3722 CVE-2023-0464 https://access.redhat.com/errata/RHSA-2024:0310 CVE-2023-5363

CVE-2023-4807 may be windows specific and it says:

However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue.

ref. https://security-tracker.debian.org/tracker/CVE-2023-4807

kenhys commented 1 week ago

Need to update system's library, so no need to taking action, I'll close it.