puppetlabs / puppet-runtime

runtime dependencies for Vanagon projects
Apache License 2.0
5 stars 88 forks source link

(PA-6878) Patch agent-runtime-7.x Curl for CVE-2024-7264 #898

Closed amitkarsale closed 2 months ago

amitkarsale commented 2 months ago

Patch to fix curl CVE-2024-7264

7.x curl version - 7.88.1 For 7.x patch was inspired from : http://archive.ubuntu.com/ubuntu/pool/main/c/curl/

For main - we have the curl 8.9.1 version for which the fix is already present as per https://curl.se/docs/CVE-2024-7264.html

vanagon-generic-main : https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3215/

vanagon-generic-7.x : https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3214/

mhashizume commented 2 months ago

This will need to be rebased on main to account for the changes merged in https://github.com/puppetlabs/puppet-runtime/pull/897/

joshcooper commented 2 months ago

Could you update the commit message to specify where the patch came from? Also could you mention that this change is only needed in 7.x and not main because curl 8.9.1 already has the fix (according to https://curl.se/docs/CVE-2024-7264.html)