Bug 2270498 (CVE-2024-2398)
| Summary: | CVE-2024-2398 curl: HTTP/2 push headers memory-leak | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aarif, agarcial, ahrabovs, aoconnor, aprice, asegurap, aucunnin, bdettelb, caswilli, crizzo, csutherl, dfreiber, dkuc, doconnor, drow, fjansen, gsuckevi, hhorak, hkataria, jburrell, jclere, jdobes, jmigacz, jmitchel, jorton, jsamir, jsherril, jtanner, jvasik, kaycoth, kholdawa, kshier, lcouzens, luhliari, luizcosta, mpierce, mskarbek, mstoklus, nweather, oezr, orabin, pjindal, plodge, psampaio, psegedy, rblanco, security-response-team, sidakwo, stcannon, sthirugn, szappis, teagle, vkrizan, vkumar, vmugicag, xiaoxwan, yguenane, zzhou |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | curl 8.7.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in curl. When an application configures libcurl to use HTTP/2 server push and the amount of received headers for the push surpasses the maximum allowed limit, libcurl aborts the server push. When aborting, libcurl does not free all the previously allocated headers, resulting in a memory leak.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2270503, 2271824, 2271825 | ||
| Bug Blocks: | 2270489 | ||
|
Description
Patrick Del Bello
2024-03-20 15:35:48 UTC
Created curl tracking bugs for this issue: Affects: fedora-all [bug 2271824] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 2271825] This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2024:2694 https://access.redhat.com/errata/RHSA-2024:2694 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2024:2693 https://access.redhat.com/errata/RHSA-2024:2693 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:3998 https://access.redhat.com/errata/RHSA-2024:3998 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:5529 https://access.redhat.com/errata/RHSA-2024:5529 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5654 https://access.redhat.com/errata/RHSA-2024:5654 This issue has been addressed in the following products: Service Interconnect 1.4 for RHEL 9 Via RHSA-2024:7213 https://access.redhat.com/errata/RHSA-2024:7213 This issue has been addressed in the following products: Service Interconnect 1 for RHEL 9 Via RHSA-2024:7374 https://access.redhat.com/errata/RHSA-2024:7374 |