StarlingX

[Debian] Medium CVE: CVE-2024-2398 curl

Bug #2071582 reported by Yue Tao on 2024-07-01

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Peng Zhang

Bug Description

CVE-2024-2398: https://nvd.nist.gov/vuln/detail/CVE-2024-2398

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Base Score: Medium

Reference:

['curl_7.74.0-1.3+deb11u11_amd64.deb===>curl_7.74.0-1.3+deb11u12_amd64.deb', 'libcurl3-gnutls_7.74.0-1.3+deb11u11_amd64.deb===>libcurl3-gnutls_7.74.0-1.3+deb11u12_amd64.deb', 'libcurl4_7.74.0-1.3+deb11u11_amd64.deb===>libcurl4_7.74.0-1.3+deb11u12_amd64.deb', 'libcurl4-gnutls-dev_7.74.0-1.3+deb11u11_amd64.deb===>libcurl4-gnutls-dev_7.74.0-1.3+deb11u12_amd64.deb', 'libcurl4-openssl-dev_7.74.0-1.3+deb11u11_amd64.deb===>libcurl4-openssl-dev_7.74.0-1.3+deb11u12_amd64.deb']

Tags:

CVE References

2024-2398

Peng Zhang (pzhang2) on 2024-07-12

Changed in starlingx:
assignee:	nobody → Peng Zhang (pzhang2)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-07-12: Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/924052

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-07-12: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/924052
Committed: https://opendev.org/starlingx/tools/commit/454637560a8132b4ae491b12f1cb817e39171fc8
Submitter: "Zuul (22348)"
Branch: master

commit 454637560a8132b4ae491b12f1cb817e39171fc8
Author: Peng Zhang <email address hidden>
Date: Wed Jul 10 08:57:12 2024 +0000

Debian: curl: fix CVE-2024-2398

    Upgrade curl 7.74.0-1.3+deb11u12
    Upgrade libcurl3-gnutls 7.74.0-1.3+deb11u12
    Upgrade libcurl4 7.74.0-1.3+deb11u12
    Upgrade libcurl4-gnutls-dev 7.74.0-1.3+deb11u12
    Upgrade libcurl4-openssl-dev 7.74.0-1.3+deb11u12

Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2024-2398

    TestPlan:
    PASS: downloader; build-pkgs
    PASS: build-image

    Closes-Bug: 2071582
    Change-Id: I0e8cc80b689d8923af3f7eb3f4f3d651960925ec
    Signed-off-by: Peng Zhang <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.