Skip to content
This repository has been archived by the owner on Oct 10, 2023. It is now read-only.

0.296.0
Compare
Choose a tag to compare
@cf-buildpacks-eng cf-buildpacks-eng released this 11 May 17:03
· 74 commits to main since this release
0.296.0
716bb82

Notably, this release addresses:

USN-5412-1 USN-5412-1: curl vulnerabilities:

  • CVE-2022-27780: The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a different URL using the wrong host name when it is later retrieved.
  • CVE-2022-27781: [libcurl provides the CURLOPT_CERTINFO option to allow applications to request details to be returned about a TLS server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information.]
  • CVE-2022-27782: [libcurl would reuse a previously created connection even when a TLS or SSH related option had been changed that should have prohibited reuse.]
  • CVE-2022-27780: The curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a different URL using the wrong host name when it is later retrieved.
  • CVE-2022-27782: [libcurl would reuse a previously created connection even when a TLS or SSH related option had been changed that should have prohibited reuse.]
  • CVE-2022-27781: [libcurl provides the CURLOPT_CERTINFO option to allow applications to request details to be returned about a TLS server's certificate chain. Due to an erroneous function, a malicious server could make libcurl built with NSS get stuck in a never-ending busy-loop when trying to retrieve that information.]
-ii  curl                       7.58.0-2ubuntu3.17  amd64  command line tool for transferring data with URL syntax
+ii  curl                       7.58.0-2ubuntu3.18  amd64  command line tool for transferring data with URL syntax
-ii  libcurl3-gnutls:amd64      7.58.0-2ubuntu3.17  amd64  easy-to-use client-side URL transfer library (GnuTLS flavour)
-ii  libcurl4:amd64             7.58.0-2ubuntu3.17  amd64  easy-to-use client-side URL transfer library (OpenSSL flavour)
-ii  libcurl4-openssl-dev:amd64 7.58.0-2ubuntu3.17  amd64  development files and documentation for libcurl (OpenSSL flavour)
+ii  libcurl3-gnutls:amd64      7.58.0-2ubuntu3.18  amd64  easy-to-use client-side URL transfer library (GnuTLS flavour)
+ii  libcurl4:amd64             7.58.0-2ubuntu3.18  amd64  easy-to-use client-side URL transfer library (OpenSSL flavour)
+ii  libcurl4-openssl-dev:amd64 7.58.0-2ubuntu3.18  amd64  development files and documentation for libcurl (OpenSSL flavour)
Assets 3