-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dependencies: upgrade libcurl to 7.74.0. #14444
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
repokitteh-read-only
bot
added
the
deps
Approval required for changes to Envoy's external dependencies
label
Dec 16, 2020
CC @wrowe on |
Address CVE scanner reports. These don't appear to impact Envoy extension use of libcurl, so fixing in the open, the update is belt-and-braces. CVE ID: CVE-2020-8284 CVSS v3 score: 3.7 Severity: LOW Published date: 2020-12-14 Last modified date: 2020-12-15 Dependencies: com_github_curl Description: A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. Affected CPEs: - cpe:2.3:o:fedoraproject:fedora:33 - cpe:2.3:a:haxx:curl:* CVE ID: CVE-2020-8285 CVSS v3 score: 7.5 Severity: HIGH Published date: 2020-12-14 Last modified date: 2020-12-15 Dependencies: com_github_curl Description: curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled recursion due to a stack overflow issue in FTP wildcard match parsing. Affected CPEs: - cpe:2.3:a:haxx:curl:* CVE ID: CVE-2020-8286 CVSS v3 score: 7.5 Severity: HIGH Published date: 2020-12-14 Last modified date: 2020-12-15 Dependencies: com_github_curl Description: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for certificate revocation due to insufficient verification of the OCSP response. Affected CPEs: - cpe:2.3:a:haxx:curl:* Signed-off-by: Harvey Tuch <htuch@google.com>
/lgtm deps |
repokitteh-read-only
bot
removed
the
deps
Approval required for changes to Envoy's external dependencies
label
Dec 16, 2020
snowp
approved these changes
Dec 17, 2020
Seems like this is causing some linker issue:
|
The build picks up system libidn2-dev package. We should probably patch curl to force disabling IDNA. |
That should be a force CMake override. I'd audited the last release against win32 detections but I guess we need to repeat for linux. |
Would you please file an issue and Harvey or I will bind it to the 1.17 milestone. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Address CVE scanner reports. These don't appear to impact Envoy extension use
of libcurl, so fixing in the open, the update is belt-and-braces.
CVE ID: CVE-2020-8284
CVSS v3 score: 3.7
Severity: LOW
Published date: 2020-12-14
Last modified date: 2020-12-15
Dependencies: com_github_curl
Description: A malicious server can use the FTP PASV response to trick curl 7.73.0
and earlier into connecting back to a given IP address and port, and
this way potentially make curl extract information about services that
are otherwise private and not disclosed, for example doing port
scanning and service banner extractions.
Affected CPEs:
CVE ID: CVE-2020-8285
CVSS v3 score: 7.5
Severity: HIGH
Published date: 2020-12-14
Last modified date: 2020-12-15
Dependencies: com_github_curl
Description: curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled
recursion due to a stack overflow issue in FTP wildcard match parsing.
Affected CPEs:
CVE ID: CVE-2020-8286
CVSS v3 score: 7.5
Severity: HIGH
Published date: 2020-12-14
Last modified date: 2020-12-15
Dependencies: com_github_curl
Description: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for
certificate revocation due to insufficient verification of the OCSP
response.
Affected CPEs:
Signed-off-by: Harvey Tuch htuch@google.com