Upgrade curl to >=8.4.0 to fix CVE-2023-38545

Question

Upgrade curl to >=8.4.0 to fix CVE-2023-38545

hartmut-co-uk opened this issue a year ago · 3 comments

hartmut-co-uk commented a year ago

What feature do you want to see added?

Update curl to >=8.4.0 that fixes:

Upstream changes

No response

Answer 1 · 2023-10-19T17:02:33.000Z

As per https://security-tracker.debian.org/tracker/CVE-2023-38545 and https://security-tracker.debian.org/tracker/CVE-2023-38546 the version 7.88.1-10+deb12u4 of the curl package has the fix, which is the case with our latest images:

LTS:

$ docker run --rm --entrypoint='' jenkins/jenkins:2.414.3-jdk11 sh -c 'dpkg -l | grep -w curl'
ii  curl                      7.88.1-10+deb12u4              arm64        command line tool for transferring data with URL syntax

Weekly:

$ docker run --rm --entrypoint='' jenkins/jenkins:2.428 sh -c 'dpkg -l | grep -w curl'        
ii  curl                      7.88.1-10+deb12u4              arm64        command line tool for transferring data with URL syntax

=> the Jenkins controller images are not impacted.

As such I'm closing the issue. Feel free to reopen with details if you have a proof that the embedded package is subject to the CVE.

Answer 2 · 2023-10-19T17:15:23.000Z

Side note: please check and follow carefully https://www.jenkins.io/security/reporting to report a vulnerability in the project.

Answer 3 · 2023-10-20T09:23:10.000Z

Many thanks for taking care and responding in such detail!