[osgeo4w-dev] [osgeo4w] #841: Vulnerable Curl.exe v8.6.0 exists in OSGeo4W install

[OSGeo4W]

#841: Vulnerable Curl.exe v8.6.0 exists in OSGeo4W install
----------------------+----------------------------
Reporter:  ascottwwf  |       Owner:  osgeo4w-dev@…
    Type:  defect     |      Status:  new
Priority:  normal     |   Component:  Package
 Version:             |  Resolution:
Keywords:             |
----------------------+----------------------------
Description changed by ascottwwf:

Old description:

> Hello,
>
> I have noticed that the OSGeo4W_v2 installer (Which we use to install
> QGIS LTR) contains version 8.6.0 of curl.exe (located in \OSGeo4W\bin
> folder)
>
> This version of curl is vulnerable to 2 medium and 2 low severity CVEs
> (CVE-2024-2466, CVE-2024-2398, CVE-2024-2379 and CVE-2024-2004) see:
> https://curl.se/docs/vulnerabilities.html.
> These have all been fixed since version v8.7.0.
> N.B. v8.8.0 is currently the latest release (Changelog:
> https://curl.se/changes.html)
>
> Please could you update the OSGeov2 Installer to include the latest
> release of Curl to remove these current CVEs.
>
> Thanks in advance
> Adrian Scott

New description:

 Hello,

 I have noticed that the OSGeo4W_v2 installer (Which we use to install QGIS
 LTR) contains version 8.6.0 of curl.exe (located in \OSGeo4W\bin folder)

 This version of curl is vulnerable to 2 medium and 2 low severity CVEs
 (CVE-2024-2466, CVE-2024-2398, CVE-2024-2379 and CVE-2024-2004) see:
 https://curl.se/docs/vulnerabilities.html.

 These have all been fixed since version v8.7.0.

 N.B. v8.8.0 is currently the latest release (Changelog:
 https://curl.se/changes.html)

 Please could you update the OSGeov2 Installer to include the latest
 release of Curl to remove these current CVEs.

 Thanks in advance

 Adrian Scott

--
-- 
Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/841#comment:1>
OSGeo4W <http://trac.osgeo.org/osgeo4w>
OSGeo4W is the Windows installer and package environment for the OSGeo stack.