Uploaded image for project: 'Security Data'
  1. Security Data
  2. SECDATA-1180

Review of CVE-2024-6197 affect curl versions RHEL 10

XMLWordPrintable

    • Icon: Ticket Ticket
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Very Likely
    • 0

      Why need this Task?

      Flagging vulnerability on this advisory despite Bugzilla claiming it's not vulnerable.

      Description: 

      From the advisory https://access.redhat.com/security/cve/cve-2024-6197, we notice that the Bugzilla states the following:

      AFFECTED VERSIONS The vulnerable code can only be reached when curl is built to use GnuTLS, wolfSSL, Schannel or Secure Transport. Builds using other TLS backends are not vulnerable. Affected versions: curl 8.6.0 to and including 8.8.0 Not affected versions: curl < 8.6.0 and >= 8.9.0 Introduced-in: https://github.com/curl/curl/commit/623c3a8fa0bdb2751f1 (8.6.0). 

      We have a customer who is running curl on RHEL 10 and believe it shouldn't be vulnerable in this case then. The version installed is 8.9.0-r0. However, all versions are vulnerable according ot the CSAF VEX files. Can you please let me know if this is a bug?

       

              yuwang@redhat.com Yuguang Wang
              jonathan.dong Jonathan Dong
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: