Upgrade Curl to address CVE-2024-6874 and CVE-2024-6197

puppetlabs / puppet-runtime

runtime dependencies for Vanagon projects

Apache License 2.0

5 stars 88 forks source link

Upgrade Curl to address CVE-2024-6874 and CVE-2024-6197 #879

Closed cthorn42 closed 1 week ago

cthorn42 commented 1 month ago

Curl just released 8.9.0 and announced two CVES

https://curl.se/docs/CVE-2024-6874.html (low)
https://curl.se/docs/CVE-2024-6197.html (medium)

Both of these are only in Curl 8, so there will not be any back porting need to fix curl in the agent-runtime-7.x. So only puppet-agent 8.7.0 is affected by these two CVEs. The puppet-agent before 8.7.0 all had Curl version 7, which does not have these CVEs.

github-actions[bot] commented 1 month ago

Migrated issue to PA-6872

cthorn42 commented 1 month ago

Curl 8.9.1 just announced a new CVE that affects Curl 8.9.0, https://curl.se/docs/CVE-2024-7264.html. So we should update to the latest curl to address all three of these CVEs.

joshcooper commented 1 week ago

Fixed in https://github.com/puppetlabs/puppet-runtime/pull/897