Both of these are only in Curl 8, so there will not be any back porting need to fix curl in the agent-runtime-7.x.
So only puppet-agent 8.7.0 is affected by these two CVEs. The puppet-agent before 8.7.0 all had Curl version 7, which does not have these CVEs.
Curl 8.9.1 just announced a new CVE that affects Curl 8.9.0, https://curl.se/docs/CVE-2024-7264.html. So we should update to the latest curl to address all three of these CVEs.
Curl just released 8.9.0 and announced two CVES
Both of these are only in Curl 8, so there will not be any back porting need to fix curl in the agent-runtime-7.x. So only puppet-agent 8.7.0 is affected by these two CVEs. The puppet-agent before 8.7.0 all had Curl version 7, which does not have these CVEs.