Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
dependencies: upgrade libcurl to 7.74.0.
Address CVE scanner reports. These don't appear to impact Envoy extension use of libcurl, so fixing in the open, the update is belt-and-braces. CVE ID: CVE-2020-8284 CVSS v3 score: 3.7 Severity: LOW Published date: 2020-12-14 Last modified date: 2020-12-15 Dependencies: com_github_curl Description: A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. Affected CPEs: - cpe:2.3:o:fedoraproject:fedora:33 - cpe:2.3:a:haxx:curl:* CVE ID: CVE-2020-8285 CVSS v3 score: 7.5 Severity: HIGH Published date: 2020-12-14 Last modified date: 2020-12-15 Dependencies: com_github_curl Description: curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. Affected CPEs: - cpe:2.3:a:haxx:curl:* CVE ID: CVE-2020-8286 CVSS v3 score: 7.5 Severity: HIGH Published date: 2020-12-14 Last modified date: 2020-12-15 Dependencies: com_github_curl Description: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. Affected CPEs: - cpe:2.3:a:haxx:curl:* Signed-off-by: Harvey Tuch <htuch@google.com>
- Loading branch information