[osgeo4w-dev] [osgeo4w] #841: Vulnerable Curl.exe v8.6.0 exists in OSGeo4W install
OSGeo4W
trac_osgeo4w at osgeo.org
Thu Jul 4 07:42:18 PDT 2024
#841: Vulnerable Curl.exe v8.6.0 exists in OSGeo4W install
----------------------+---------------------------
Reporter: ascottwwf | Owner: osgeo4w-dev@…
Type: defect | Status: new
Priority: normal | Component: Package
Version: | Keywords:
----------------------+---------------------------
Hello,
I have noticed that the OSGeo4W_v2 installer (Which we use to install QGIS
LTR) contains version 8.6.0 of curl.exe (located in \OSGeo4W\bin folder)
This version of curl is vulnerable to 2 medium and 2 low severity CVEs
(CVE-2024-2466, CVE-2024-2398, CVE-2024-2379 and CVE-2024-2004) see:
https://curl.se/docs/vulnerabilities.html.
These have all been fixed since version v8.7.0.
N.B. v8.8.0 is currently the latest release (Changelog:
https://curl.se/changes.html)
Please could you update the OSGeov2 Installer to include the latest
release of Curl to remove these current CVEs.
Thanks in advance
Adrian Scott
--
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/841>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.
More information about the osgeo4w-dev
mailing list