Skip to content
This repository has been archived by the owner on Oct 10, 2023. It is now read-only.

0.353.0
Compare
Choose a tag to compare
@cf-buildpacks-eng cf-buildpacks-eng released this 28 Feb 20:47
· 16 commits to main since this release
0.353.0
bcc4ed4

Notably, this release addresses:

USN-5900-1 USN-5900-1: tar vulnerability:

  • CVE-2022-48303: GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.

USN-5891-1 USN-5891-1: curl vulnerabilities:

  • CVE-2023-23914: A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.
  • CVE-2023-23915: A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS.
  • CVE-2023-23916: An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
  • CVE-2023-23915: A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality to behave incorrectly when multiple URLs are requested in parallel. Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL. This HSTS mechanism would however surprisingly fail when multiple transfers are done in parallel as the HSTS cache file gets overwritten by the most recentlycompleted transfer. A later HTTP-only transfer to the earlier host name would then not get upgraded properly to HSTS.
  • CVE-2023-23914: A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functionality fail when multiple URLs are requested serially. Using its HSTS support, curl can be instructed to use HTTPS instead of usingan insecure clear-text HTTP step even when HTTP is provided in the URL. ThisHSTS mechanism would however surprisingly be ignored by subsequent transferswhen done on the same command line because the state would not be properlycarried on.
  • CVE-2023-23916: An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
-ii  curl                       7.58.0-2ubuntu3.22 amd64  command line tool for transferring data with URL syntax
+ii  curl                       7.58.0-2ubuntu3.23 amd64  command line tool for transferring data with URL syntax
-ii  libcurl3-gnutls:amd64      7.58.0-2ubuntu3.22 amd64  easy-to-use client-side URL transfer library (GnuTLS flavour)
-ii  libcurl4:amd64             7.58.0-2ubuntu3.22 amd64  easy-to-use client-side URL transfer library (OpenSSL flavour)
-ii  libcurl4-openssl-dev:amd64 7.58.0-2ubuntu3.22 amd64  development files and documentation for libcurl (OpenSSL flavour)
+ii  libcurl3-gnutls:amd64      7.58.0-2ubuntu3.23 amd64  easy-to-use client-side URL transfer library (GnuTLS flavour)
+ii  libcurl4:amd64             7.58.0-2ubuntu3.23 amd64  easy-to-use client-side URL transfer library (OpenSSL flavour)
+ii  libcurl4-openssl-dev:amd64 7.58.0-2ubuntu3.23 amd64  development files and documentation for libcurl (OpenSSL flavour)
-ii  tar                        1.29b-2ubuntu0.3   amd64  GNU version of the tar archiving utility
+ii  tar                        1.29b-2ubuntu0.4   amd64  GNU version of the tar archiving utility
Assets 3
Loading