CVE-2024-2398 Curl Push Headers Memory-Leak

Hello!

Will AlmaLinux 8 receive an update for this vulnerability?
It looks like remediation was included in May from Redhat, but no mention on the 8.10 release notes.

https://access.redhat.com/errata/RHSA-2024:2693

Cheers!

1 Like

Looking at that RHSA link the first four of the CVE’s in their list aren’t showing up for me in a search on errata.almalinux.org. I know we were having a problem publishing errata a few weeks ago, but I wouldn’t expect that to have been impacting this. Let me poke some folks.

Noting for myself, these are the four I don’t see in errata:

  • curl: Usage of disabled protocol (CVE-2024-2004)
  • curl: QUIC certificate check bypass with wolfSSL (CVE-2024-2379)
  • curl: HTTP/2 push headers memory-leak (CVE-2024-2398)
  • curl: TLS certificate check bypass with mbedTLS (CVE-2024-2466)
1 Like

In looking further, it looks like we’ve actually released everything that Red Hat has here. The curl patches haven’t been merged in to redhat yet, and looking at the patches we don’t think this is a good candidate for merging outside our normal release at this time. If you wanna discuss that, though, the best place to do that is in the ~alesco room on chat.almalinux.org.

That is great thank you for confirming that!
Just so I dont jump the gun again, is there anywhere I should be looking to confirm this on the RedHat site if I dont have my own instance?

Will definitely sign-up to that chat.

1 Like

Yup! Just click over to the ‘updated packages’ tab on the page you linked and you’ll see what should be released and not.