Upgrade curl to >=8.4.0 to fix CVE-2023-38545
hartmut-co-uk opened this issue · 3 comments
hartmut-co-uk commented
What feature do you want to see added?
Update curl to >=8.4.0 that fixes:
Upstream changes
No response
dduportal commented
As per https://security-tracker.debian.org/tracker/CVE-2023-38545 and https://security-tracker.debian.org/tracker/CVE-2023-38546 the version 7.88.1-10+deb12u4
of the curl
package has the fix, which is the case with our latest images:
LTS:
$ docker run --rm --entrypoint='' jenkins/jenkins:2.414.3-jdk11 sh -c 'dpkg -l | grep -w curl'
ii curl 7.88.1-10+deb12u4 arm64 command line tool for transferring data with URL syntax
Weekly:
$ docker run --rm --entrypoint='' jenkins/jenkins:2.428 sh -c 'dpkg -l | grep -w curl'
ii curl 7.88.1-10+deb12u4 arm64 command line tool for transferring data with URL syntax
=> the Jenkins controller images are not impacted.
As such I'm closing the issue. Feel free to reopen with details if you have a proof that the embedded package is subject to the CVE.
dduportal commented
Side note: please check and follow carefully https://www.jenkins.io/security/reporting to report a vulnerability in the project.
hartmut-co-uk commented
Many thanks for taking care and responding in such detail!