Bug 2309415

Summary: CVE-2024-7264 curl: ASN.1 date parser overread [fedora-all]
Product: [Fedora] Fedora Reporter: TEJ RATHI <trathi>
Component: curlAssignee: Jan Macku <jamacku>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 40CC: jamacku, jmigacz, kdudka, lzaoral, msekleta, paul, vmihalko
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["8ee117ea-26fb-4e08-87c6-5b2f3facdf12"]}
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-09-12 08:45:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2301888    

Description TEJ RATHI 2024-09-03 12:15:41 UTC 
More information about this security flaw is available in the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=2301888

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 1 Jan Macku 2024-09-12 08:45:09 UTC 
IMHO, Fedora is not affected by this CVE because we build curl with OpenSSL. According to upstream, only versions built with GnuTLS, Schannel, Secure Transport, or mbedTLS are affected.

See - https://curl.se/docs/CVE-2024-7264.html

> The vulnerable code can only be reached when curl is built to use GnuTLS, Schannel, Secure Transport, or mbedTLS. Builds using other TLS backends are not vulnerable.