[osgeo4w-dev] [osgeo4w] #841: Vulnerable Curl.exe v8.6.0 exists in OSGeo4W install
OSGeo4W
trac_osgeo4w at osgeo.org
Thu Jul 4 07:43:06 PDT 2024
#841: Vulnerable Curl.exe v8.6.0 exists in OSGeo4W install
----------------------+----------------------------
Reporter: ascottwwf | Owner: osgeo4w-dev@…
Type: defect | Status: new
Priority: normal | Component: Package
Version: | Resolution:
Keywords: |
----------------------+----------------------------
Description changed by ascottwwf:
Old description:
> Hello,
>
> I have noticed that the OSGeo4W_v2 installer (Which we use to install
> QGIS LTR) contains version 8.6.0 of curl.exe (located in \OSGeo4W\bin
> folder)
>
> This version of curl is vulnerable to 2 medium and 2 low severity CVEs
> (CVE-2024-2466, CVE-2024-2398, CVE-2024-2379 and CVE-2024-2004) see:
> https://curl.se/docs/vulnerabilities.html.
> These have all been fixed since version v8.7.0.
> N.B. v8.8.0 is currently the latest release (Changelog:
> https://curl.se/changes.html)
>
> Please could you update the OSGeov2 Installer to include the latest
> release of Curl to remove these current CVEs.
>
> Thanks in advance
> Adrian Scott
New description:
Hello,
I have noticed that the OSGeo4W_v2 installer (Which we use to install QGIS
LTR) contains version 8.6.0 of curl.exe (located in \OSGeo4W\bin folder)
This version of curl is vulnerable to 2 medium and 2 low severity CVEs
(CVE-2024-2466, CVE-2024-2398, CVE-2024-2379 and CVE-2024-2004) see:
https://curl.se/docs/vulnerabilities.html.
These have all been fixed since version v8.7.0.
N.B. v8.8.0 is currently the latest release (Changelog:
https://curl.se/changes.html)
Please could you update the OSGeov2 Installer to include the latest
release of Curl to remove these current CVEs.
Thanks in advance
Adrian Scott
--
--
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/841#comment:1>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.
More information about the osgeo4w-dev
mailing list