Bug 1217574 (CVE-2023-46219) - VUL-0: CVE-2023-46219: curl: HSTS long file name clears contents
Summary: VUL-0: CVE-2023-46219: curl: HSTS long file name clears contents
Status: RESOLVED FIXED
Alias: CVE-2023-46219
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/386281/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-46219:4.0:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-28 08:34 UTC by Thomas Leroy
Modified: 2024-04-15 15:09 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Thomas Leroy 2023-11-29 14:55:56 UTC
Affected:

SUSE:ALP:Source:Standard:1.0
Comment 5 Otto Hollmann 2023-11-29 15:10:32 UTC
Submitted:

> Codestream              | Version | Request
> ------------------------+---------+-------------
> SUSE_SLE-15-SP4_Update  | 8.0.1   | 314009
> SUSE_SLE-15-SP2_Update  | 7.66.0  | not affected
> SUSE_SLE-15_Update      | 7.60.0  | not affected
> SUSE_SLE-12-SP5_Update  | 8.0.1   | 314012
> SUSE:SLE-12-SP4:Update  | 7.60.0  | not affected/out of support
> SUSE_SLE-12_Update      | 7.37.0  | not affected

Codestreams: SUSE_SLE-15-SP6:GA, SUSE:ALP:Source:Standard:1.0, openSUSE:Factory are also affected and will be fixed after CRD.
Comment 6 Otto Hollmann 2023-12-04 07:38:56 UTC
I referenced wrong bug number in changelog so I resubmitted these requests:

> SUSE_SLE-15-SP4_Update   314009 -> 314242
> SUSE_SLE-12-SP5_Update   314012 -> 314241
Comment 8 Marcus Meissner 2023-12-06 09:27:58 UTC
public

        CVE-2023-46219: https://curl.se/docs/CVE-2023-46219.html                                                                                             
        OSS:2023/Q4/262: https://seclists.org/oss-sec/2023/q4/262
Comment 9 Maintenance Automation 2023-12-06 16:30:42 UTC
SUSE-SU-2023:4659-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1217573, 1217574
CVE References: CVE-2023-46218, CVE-2023-46219
Sources used:
openSUSE Leap 15.4 (src): curl-8.0.1-150400.5.36.1
openSUSE Leap Micro 5.3 (src): curl-8.0.1-150400.5.36.1
openSUSE Leap Micro 5.4 (src): curl-8.0.1-150400.5.36.1
openSUSE Leap 15.5 (src): curl-8.0.1-150400.5.36.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): curl-8.0.1-150400.5.36.1
SUSE Linux Enterprise Micro 5.3 (src): curl-8.0.1-150400.5.36.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): curl-8.0.1-150400.5.36.1
SUSE Linux Enterprise Micro 5.4 (src): curl-8.0.1-150400.5.36.1
SUSE Linux Enterprise Micro 5.5 (src): curl-8.0.1-150400.5.36.1
Basesystem Module 15-SP4 (src): curl-8.0.1-150400.5.36.1
Basesystem Module 15-SP5 (src): curl-8.0.1-150400.5.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-12-06 16:30:49 UTC
SUSE-SU-2023:4653-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1217573, 1217574
CVE References: CVE-2023-46218, CVE-2023-46219
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): curl-8.0.1-11.80.1
SUSE Linux Enterprise Server 12 SP5 (src): curl-8.0.1-11.80.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): curl-8.0.1-11.80.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): curl-8.0.1-11.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Otto Hollmann 2023-12-07 09:49:38 UTC
Submitted version upgrades:
ALP
> https://build.suse.de/request/show/314850

openSUSE:Factory
> https://build.opensuse.org/request/show/1131466

Thre is no codestream for SLE15-SP6, it's inherited from 15-SP4
Everything is submitted, assigning back to security team
Comment 14 Marcus Meissner 2024-04-15 15:09:34 UTC
released