suse-su-2025:20029-1
Vulnerability from csaf_suse
Published
2025-02-03 08:51
Modified
2025-02-03 08:51
Summary
Security update for curl
Notes
Title of the patch
Security update for curl
Description of the patch
This update for curl fixes the following issues:
Security issues fixed:
- CVE-2024-7264: ASN.1 date parser overread (bsc#1228535)
- CVE-2024-6197: Freeing stack buffer in utf8asn1str (bsc#1227888)
- CVE-2024-2379: QUIC certificate check bypass with wolfSSL (bsc#1221666)
- CVE-2024-2466: TLS certificate check bypass with mbedTLS (bsc#1221668)
- CVE-2024-2004: Usage of disabled protocol (bsc#1221665)
- CVE-2024-2398: HTTP/2 push headers memory-leak (bsc#1221667)
Non-security issue fixed:
- Fixed various TLS related issues including FTP over SSL transmission timeouts.
Patchnames
SUSE-SLE-Micro-6.0-30
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for curl",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for curl fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2024-7264: ASN.1 date parser overread (bsc#1228535)\n- CVE-2024-6197: Freeing stack buffer in utf8asn1str (bsc#1227888)\n- CVE-2024-2379: QUIC certificate check bypass with wolfSSL (bsc#1221666)\n- CVE-2024-2466: TLS certificate check bypass with mbedTLS (bsc#1221668)\n- CVE-2024-2004: Usage of disabled protocol (bsc#1221665)\n- CVE-2024-2398: HTTP/2 push headers memory-leak (bsc#1221667)\n\nNon-security issue fixed:\n\n- Fixed various TLS related issues including FTP over SSL transmission timeouts.\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.0-30",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20029-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:20029-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520029-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:20029-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2025-June/021336.html"
},
{
"category": "self",
"summary": "SUSE Bug 1221665",
"url": "https://bugzilla.suse.com/1221665"
},
{
"category": "self",
"summary": "SUSE Bug 1221666",
"url": "https://bugzilla.suse.com/1221666"
},
{
"category": "self",
"summary": "SUSE Bug 1221667",
"url": "https://bugzilla.suse.com/1221667"
},
{
"category": "self",
"summary": "SUSE Bug 1221668",
"url": "https://bugzilla.suse.com/1221668"
},
{
"category": "self",
"summary": "SUSE Bug 1227888",
"url": "https://bugzilla.suse.com/1227888"
},
{
"category": "self",
"summary": "SUSE Bug 1228535",
"url": "https://bugzilla.suse.com/1228535"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-2004 page",
"url": "https://www.suse.com/security/cve/CVE-2024-2004/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-2379 page",
"url": "https://www.suse.com/security/cve/CVE-2024-2379/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-2398 page",
"url": "https://www.suse.com/security/cve/CVE-2024-2398/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-2466 page",
"url": "https://www.suse.com/security/cve/CVE-2024-2466/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-6197 page",
"url": "https://www.suse.com/security/cve/CVE-2024-6197/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-7264 page",
"url": "https://www.suse.com/security/cve/CVE-2024-7264/"
}
],
"title": "Security update for curl",
"tracking": {
"current_release_date": "2025-02-03T08:51:25Z",
"generator": {
"date": "2025-02-03T08:51:25Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:20029-1",
"initial_release_date": "2025-02-03T08:51:25Z",
"revision_history": [
{
"date": "2025-02-03T08:51:25Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "curl-8.6.0-3.1.aarch64",
"product": {
"name": "curl-8.6.0-3.1.aarch64",
"product_id": "curl-8.6.0-3.1.aarch64"
}
},
{
"category": "product_version",
"name": "libcurl4-8.6.0-3.1.aarch64",
"product": {
"name": "libcurl4-8.6.0-3.1.aarch64",
"product_id": "libcurl4-8.6.0-3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-8.6.0-3.1.s390x",
"product": {
"name": "curl-8.6.0-3.1.s390x",
"product_id": "curl-8.6.0-3.1.s390x"
}
},
{
"category": "product_version",
"name": "libcurl4-8.6.0-3.1.s390x",
"product": {
"name": "libcurl4-8.6.0-3.1.s390x",
"product_id": "libcurl4-8.6.0-3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "curl-8.6.0-3.1.x86_64",
"product": {
"name": "curl-8.6.0-3.1.x86_64",
"product_id": "curl-8.6.0-3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libcurl4-8.6.0-3.1.x86_64",
"product": {
"name": "libcurl4-8.6.0-3.1.x86_64",
"product_id": "libcurl4-8.6.0-3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.0",
"product": {
"name": "SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-8.6.0-3.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64"
},
"product_reference": "curl-8.6.0-3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-8.6.0-3.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x"
},
"product_reference": "curl-8.6.0-3.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "curl-8.6.0-3.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64"
},
"product_reference": "curl-8.6.0-3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-8.6.0-3.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64"
},
"product_reference": "libcurl4-8.6.0-3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-8.6.0-3.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x"
},
"product_reference": "libcurl4-8.6.0-3.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libcurl4-8.6.0-3.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
},
"product_reference": "libcurl4-8.6.0-3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-2004",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-2004"
}
],
"notes": [
{
"category": "general",
"text": "When a protocol selection parameter option disables all protocols without adding any then the default set of protocols would remain in the allowed set due to an error in the logic for removing protocols. The below command would perform a request to curl.se with a plaintext protocol which has been explicitly disabled. curl --proto -all,-http http://curl.se The flaw is only present if the set of selected protocols disables the entire set of available protocols, in itself a command with no practical use and therefore unlikely to be encountered in real situations. The curl security team has thus assessed this to be low severity bug.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-2004",
"url": "https://www.suse.com/security/cve/CVE-2024-2004"
},
{
"category": "external",
"summary": "SUSE Bug 1221665 for CVE-2024-2004",
"url": "https://bugzilla.suse.com/1221665"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-03T08:51:25Z",
"details": "moderate"
}
],
"title": "CVE-2024-2004"
},
{
"cve": "CVE-2024-2379",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-2379"
}
],
"notes": [
{
"category": "general",
"text": "libcurl skips the certificate verification for a QUIC connection under certain conditions, when built to use wolfSSL. If told to use an unknown/bad cipher or curve, the error path accidentally skips the verification and returns OK, thus ignoring any certificate problems.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-2379",
"url": "https://www.suse.com/security/cve/CVE-2024-2379"
},
{
"category": "external",
"summary": "SUSE Bug 1221666 for CVE-2024-2379",
"url": "https://bugzilla.suse.com/1221666"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-03T08:51:25Z",
"details": "moderate"
}
],
"title": "CVE-2024-2379"
},
{
"cve": "CVE-2024-2398",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-2398"
}
],
"notes": [
{
"category": "general",
"text": "When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-2398",
"url": "https://www.suse.com/security/cve/CVE-2024-2398"
},
{
"category": "external",
"summary": "SUSE Bug 1221667 for CVE-2024-2398",
"url": "https://bugzilla.suse.com/1221667"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-03T08:51:25Z",
"details": "moderate"
}
],
"title": "CVE-2024-2398"
},
{
"cve": "CVE-2024-2466",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-2466"
}
],
"notes": [
{
"category": "general",
"text": "libcurl did not check the server certificate of TLS connections done to a host specified as an IP address, when built to use mbedTLS. libcurl would wrongly avoid using the set hostname function when the specified hostname was given as an IP address, therefore completely skipping the certificate check. This affects all uses of TLS protocols (HTTPS, FTPS, IMAPS, POPS3, SMTPS, etc).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-2466",
"url": "https://www.suse.com/security/cve/CVE-2024-2466"
},
{
"category": "external",
"summary": "SUSE Bug 1221668 for CVE-2024-2466",
"url": "https://bugzilla.suse.com/1221668"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-03T08:51:25Z",
"details": "moderate"
}
],
"title": "CVE-2024-2466"
},
{
"cve": "CVE-2024-6197",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-6197"
}
],
"notes": [
{
"category": "general",
"text": "libcurl\u0027s ASN1 parser has this utf8asn1str() function used for parsing an ASN.1 UTF-8 string. Itcan detect an invalid field and return error. Unfortunately, when doing so it also invokes `free()` on a 4 byte localstack buffer. Most modern malloc implementations detect this error and immediately abort. Some however accept the input pointer and add that memory to its list of available chunks. This leads to the overwriting of nearby stack memory. The content of the overwrite is decided by the `free()` implementation; likely to be memory pointers and a set of flags. The most likely outcome of exploting this flaw is a crash, although it cannot be ruled out that more serious results can be had in special circumstances.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-6197",
"url": "https://www.suse.com/security/cve/CVE-2024-6197"
},
{
"category": "external",
"summary": "SUSE Bug 1227888 for CVE-2024-6197",
"url": "https://bugzilla.suse.com/1227888"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-03T08:51:25Z",
"details": "important"
}
],
"title": "CVE-2024-6197"
},
{
"cve": "CVE-2024-7264",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-7264"
}
],
"notes": [
{
"category": "general",
"text": "libcurl\u0027s ASN1 parser code has the `GTime2str()` function, used for parsing an\nASN.1 Generalized Time field. If given an syntactically incorrect field, the\nparser might end up using -1 for the length of the *time fraction*, leading to\na `strlen()` getting performed on a pointer to a heap buffer area that is not\n(purposely) null terminated.\n\nThis flaw most likely leads to a crash, but can also lead to heap contents\ngetting returned to the application when\n[CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-7264",
"url": "https://www.suse.com/security/cve/CVE-2024-7264"
},
{
"category": "external",
"summary": "SUSE Bug 1228535 for CVE-2024-7264",
"url": "https://bugzilla.suse.com/1228535"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:curl-8.6.0-3.1.x86_64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.aarch64",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.s390x",
"SUSE Linux Micro 6.0:libcurl4-8.6.0-3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-02-03T08:51:25Z",
"details": "moderate"
}
],
"title": "CVE-2024-7264"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…