Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump curl from 8.4.0 to 8.8.0 #205

Merged
merged 2 commits into from
Jul 24, 2024
Merged

Bump curl from 8.4.0 to 8.8.0 #205

merged 2 commits into from
Jul 24, 2024

Conversation

ryfu-msft
Copy link
Contributor

Address a component governance issue with curl 8.4.0 by updating to the latest release (8.8.0)

CVE-2024-2398
Description of issue:
cURL / libcURL contains a flaw in lib/http2.c that is triggered when handling large amounts of headers. This may allow a remote attacker to consume excessive memory resources and cause a denial of service.

This issue is fixed in the latest release of curl:
https://github.com/curl/curl/releases/tag/curl-8_8_0
Commit used: fd567d4f06857f4fc8e2f64ea727b1318f76ad33

@ryfu-msft ryfu-msft requested a review from a team as a code owner July 23, 2024 23:35
@arthuraraujo-msft
Copy link
Contributor

Looks like the curl error message also changed when calling POST with a message size over the allowed limit and the test "Testing a response over the limit fails the operation" is failing
Previously "Failure writing output to destination"
Now "client returned ERROR on write of 16384 bytes"
curl/curl@270a25c

@arthuraraujo-msft
Copy link
Contributor

arthuraraujo-msft commented Jul 24, 2024
edited
Loading

@ryfu-msft please apply the patch below to fix the test:
sfs.patch
git apply sfs.patch

@ryfu-msft
Copy link
Contributor Author

@ryfu-msft please apply the patch below to fix the test: sfs.patch git apply sfs.patch

Ah thank you! I wasn't sure if I did something wrong or was supposed to update the test manually. Updated with latest patch.

@arthuraraujo-msft arthuraraujo-msft changed the title Update curl to 8.8.0 Bump curl from 8.4.0 to 8.8.0 Jul 24, 2024
@arthuraraujo-msft arthuraraujo-msft merged commit 6ab78af into microsoft:main Jul 24, 2024
3 checks passed
@arthuraraujo-msft
Copy link
Contributor

Thanks @ryfu-msft !

@ryfu-msft ryfu-msft mentioned this pull request Jul 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arthuraraujo-msft arthuraraujo-msft arthuraraujo-msft approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ryfu-msft @arthuraraujo-msft