Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependencies: upgrade libcurl to 7.74.0. #14444

Merged
merged 1 commit into from
Dec 17, 2020
Merged

dependencies: upgrade libcurl to 7.74.0. #14444

merged 1 commit into from
Dec 17, 2020

Conversation

htuch
Copy link
Member

@htuch htuch commented Dec 16, 2020

Address CVE scanner reports. These don't appear to impact Envoy extension use
of libcurl, so fixing in the open, the update is belt-and-braces.

CVE ID: CVE-2020-8284
CVSS v3 score: 3.7
Severity: LOW
Published date: 2020-12-14
Last modified date: 2020-12-15
Dependencies: com_github_curl
Description: A malicious server can use the FTP PASV response to trick curl 7.73.0
and earlier into connecting back to a given IP address and port, and
this way potentially make curl extract information about services that
are otherwise private and not disclosed, for example doing port
scanning and service banner extractions.
Affected CPEs:

  • cpe:2.3:o:fedoraproject:fedora:33
  • cpe:2.3:a:haxx:curl:*

CVE ID: CVE-2020-8285
CVSS v3 score: 7.5
Severity: HIGH
Published date: 2020-12-14
Last modified date: 2020-12-15
Dependencies: com_github_curl
Description: curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled
recursion due to a stack overflow issue in FTP wildcard match parsing.
Affected CPEs:

  • cpe:2.3:a:haxx:curl:*

CVE ID: CVE-2020-8286
CVSS v3 score: 7.5
Severity: HIGH
Published date: 2020-12-14
Last modified date: 2020-12-15
Dependencies: com_github_curl
Description: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for
certificate revocation due to insufficient verification of the OCSP
response.
Affected CPEs:

  • cpe:2.3:a:haxx:curl:*

Signed-off-by: Harvey Tuch htuch@google.com

@repokitteh-read-only
Copy link

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).

🐱

Caused by: #14444 was opened by htuch.

see: more, trace.

@repokitteh-read-only repokitteh-read-only bot added the deps Approval required for changes to Envoy's external dependencies label Dec 16, 2020
@htuch
Copy link
Member Author

htuch commented Dec 16, 2020

CC @wrowe on curl.patch changes.

@htuch
dependencies: upgrade libcurl to 7.74.0.
f48c87e 
Address CVE scanner reports. These don't appear to impact Envoy extension use
of libcurl, so fixing in the open, the update is belt-and-braces.

  CVE ID: CVE-2020-8284
  CVSS v3 score: 3.7
  Severity: LOW
  Published date: 2020-12-14
  Last modified date: 2020-12-15
  Dependencies: com_github_curl
  Description: A malicious server can use the FTP PASV response to trick curl 7.73.0
  and earlier into connecting back to a given IP address and port, and
  this way potentially make curl extract information about services that
  are otherwise private and not disclosed, for example doing port
  scanning and service banner extractions.
  Affected CPEs:
  - cpe:2.3:o:fedoraproject:fedora:33
  - cpe:2.3:a:haxx:curl:*

  CVE ID: CVE-2020-8285
  CVSS v3 score: 7.5
  Severity: HIGH
  Published date: 2020-12-14
  Last modified date: 2020-12-15
  Dependencies: com_github_curl
  Description: curl 7.21.0 to and including 7.73.0 is vulnerable to uncontrolled
  recursion due to a stack overflow issue in FTP wildcard match parsing.
  Affected CPEs:
  - cpe:2.3:a:haxx:curl:*

  CVE ID: CVE-2020-8286
  CVSS v3 score: 7.5
  Severity: HIGH
  Published date: 2020-12-14
  Last modified date: 2020-12-15
  Dependencies: com_github_curl
  Description: curl 7.41.0 through 7.73.0 is vulnerable to an improper check for
  certificate revocation due to insufficient verification of the OCSP
  response.
  Affected CPEs:
  - cpe:2.3:a:haxx:curl:*

Signed-off-by: Harvey Tuch <htuch@google.com>
@moderation
Copy link
Contributor

/lgtm deps

@repokitteh-read-only repokitteh-read-only bot removed the deps Approval required for changes to Envoy's external dependencies label Dec 16, 2020
@htuch htuch merged commit ad3c545 into envoyproxy:master Dec 17, 2020
@htuch htuch deleted the curl-upgrade branch December 17, 2020 14:47
@kyessenov
Copy link
Contributor

Seems like this is causing some linker issue:

bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/curl/lib/libcurl.a(url.c.o):url.c:function Curl_idnconvert_hostname: error: undefined reference to 'idn2_check_version'
bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/curl/lib/libcurl.a(url.c.o):url.c:function Curl_idnconvert_hostname: error: undefined reference to 'idn2_lookup_ul'
bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/curl/lib/libcurl.a(url.c.o):url.c:function Curl_idnconvert_hostname: error: undefined reference to 'idn2_strerror'
bazel-out/k8-fastbuild/bin/external/envoy/bazel/foreign_cc/curl/lib/libcurl.a(url.c.o):url.c:function Curl_free_idnconverted_hostname: error: undefined reference to 'idn2_free'

@kyessenov
Copy link
Contributor

The build picks up system libidn2-dev package. We should probably patch curl to force disabling IDNA.

@wrowe
Copy link
Contributor

wrowe commented Dec 22, 2020

That should be a force CMake override. I'd audited the last release against win32 detections but I guess we need to repeat for linux.

@wrowe
Copy link
Contributor

wrowe commented Dec 22, 2020

Would you please file an issue and Harvey or I will bind it to the 1.17 milestone.

@kyessenov
Copy link
Contributor

@wrowe #14506

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snowp snowp snowp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@htuch @moderation @kyessenov @wrowe @snowp