Bugzilla – Bug 1219273
VUL-0: curl: missing regression fix for CVE-2023-27534
Last modified: 2024-06-12 12:32:13 UTC
received via email Hi, I could not get the fix CVE-2023-27534 for curl from your side (I do not found a public srpm repository*) Nevertheless due to the date of the fix it seems that you forget a regression fix upstream commit are here origin: https://github.com/curl/curl/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 origin-fix: https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325 I join my patch if you could check Can you cross check with my patch ? Thanks
Created attachment 872248 [details] CVE-2023-27534.patch incremental patch CVE-2023-27534.patch
did we ever address this?
As far as I can tell, the regression fix is needed only for 15sp2 https://build.suse.de/request/show/333371 12 https://build.suse.de/request/show/333372 12sp5,15sp4+ have newer curl and 15/curl is not supported anymore.
SUSE-SU-2024:2009-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1219273 CVE References: CVE-2023-27534 Maintenance Incident: [SUSE:Maintenance:34220](https://smelt.suse.de/incident/34220/) Sources used: SUSE Linux Enterprise Micro 5.1 (src): curl-7.66.0-150200.4.72.1 SUSE Linux Enterprise Micro 5.2 (src): curl-7.66.0-150200.4.72.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): curl-7.66.0-150200.4.72.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.