Does anyone know if a fix for the recent curl-issue (CVE-2023-38546) will land in CentOS 7?
https://access.redhat.com/security/cve/cve-2023-38546 says "Out of support scope" for RHEL 7 which does not look promising
Thanks,
Alex
CVE-2023-38546
Re: CVE-2023-38546
No, it will not because the version in CentOS 7 is too old to be vulnerable! That means it doesn't need fixing.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: CVE-2023-38546
Just checked, CentOS 7 is using curl 7.29.0 and (CVE-2023-38546) says
So CentOS 7 is vulnerable!
- Affected versions: libcurl 7.9.1 to and including 8.3.0
- Not affected versions: libcurl < 7.9.1 and >= 8.4.0
So CentOS 7 is vulnerable!
Code: Select all
# docker run -it --rm centos:7 curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.44 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
Code: Select all
# docker run -it --rm centos:7 /bin/bash -c "yum update -y curl && curl --version"
...
Updated:
curl.x86_64 0:7.29.0-59.el7_9.1
Dependency Updated:
libcurl.x86_64 0:7.29.0-59.el7_9.1
Complete!
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
Re: CVE-2023-38546
Ah, wrong CVE number, sorry. That 's the low severity one not the urgent one which is https://curl.se/docs/CVE-2023-38545.html and came in with 7.69 so CentOS 7's copy is not vulnerable to the high severity one. According to https://access.redhat.com/security/cve/CVE-2023-38545 RHEL 8 is not affected either.
For the low severity one, Red Hat seem to have decided it's not worth the effort of fixing it: https://access.redhat.com/security/cve/CVE-2023-38546
For the low severity one, Red Hat seem to have decided it's not worth the effort of fixing it: https://access.redhat.com/security/cve/CVE-2023-38546
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: CVE-2023-38546
Thanks for the update TrevorH!
I was also mixing up CVE-numbers, I meant 38545 like you
Good that CentOS 7 is not affected by that.
I was also mixing up CVE-numbers, I meant 38545 like you
Good that CentOS 7 is not affected by that.