rpm package
opensuse/curl&distro=openSUSE Leap 15.6
pkg:rpm/opensuse/curl&distro=openSUSE%20Leap%2015.6
Vulnerabilities (24)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-8096 | — | < 8.6.0-150600.4.6.1 | 8.6.0-150600.4.6.1 | Sep 11, 2024 | When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports | ||
| CVE-2024-7264 | — | < 8.6.0-150600.4.3.1 | 8.6.0-150600.4.3.1 | Jul 31, 2024 | libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer t | ||
| CVE-2024-6874 | — | < 8.14.1-150600.4.28.1 | 8.14.1-150600.4.28.1 | Jul 24, 2024 | libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN ba | ||
| CVE-2024-6197 | — | < 8.6.0-150600.4.3.1 | 8.6.0-150600.4.3.1 | Jul 24, 2024 | libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error |
- CVE-2024-8096Sep 11, 2024affected < 8.6.0-150600.4.6.1fixed 8.6.0-150600.4.6.1
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it might fail to detect some OCSP problems and instead wrongly consider the response as fine. If the returned status reports
- CVE-2024-7264Jul 31, 2024affected < 8.6.0-150600.4.3.1fixed 8.6.0-150600.4.3.1
libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer t
- CVE-2024-6874Jul 24, 2024affected < 8.14.1-150600.4.28.1fixed 8.14.1-150600.4.28.1
libcurl's URL API function [curl_url_get()](https://curl.se/libcurl/c/curl_url_get.html) offers punycode conversions, to and from IDN. Asking to convert a name that is exactly 256 bytes, libcurl ends up reading outside of a stack based buffer when built to use the *macidn* IDN ba
- CVE-2024-6197Jul 24, 2024affected < 8.6.0-150600.4.3.1fixed 8.6.0-150600.4.3.1
libcurl's ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error
Page 2 of 2