Updated curl packages fix security vulnerabilities
Publication date: 29 Mar 2024Modification date: 29 Mar 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-2004 , CVE-2024-2379 , CVE-2024-2398 , CVE-2024-2466
Description
CVE-2024-2004: Usage of disabled protocol
If all protocols are disabled at run-time with none being added,
curl/libcurl would still allow communication with the default set of
allowed protocols, including some that are unencrypted.
CVE-2024-2398: HTTP/2 push headers memory-leak
A memory leak could occur when an application enabled HTTP/2 server push
and the server sent a large number of headers.
References
- https://bugs.mageia.org/show_bug.cgi?id=33020
- https://curl.se/docs/CVE-2024-2004.html
- https://curl.se/docs/CVE-2024-2398.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2004
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2379
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2398
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2466
SRPMS
9/core
- curl-7.88.1-4.3.mga9