libcurl provides several different backends for resolving host names, selected at build time. If it is built to use the synchronous resolver, it allows name resolves to time-out slow operations using `alarm()` and `siglongjmp()`. When doing this, libcurl used a global buffer that was not mutex protected and a multi-threaded application might therefore crash or otherwise misbehave.
Created curl tracking bugs for this issue: Affects: fedora-38 [bug 2207897]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-28320
Hello, while doing review of the Vulnerability Assessment report of RHEL 8.6 for the purpose of Common Criteria certification, we came across this CVE. The CVE page https://access.redhat.com/security/cve/CVE-2023-28320 has Statement This vulnerability does not affect versions of the curl package as shipped with Red Hat Enterprise Linux 6,7,8 and 9. What is the specific reason why RHEL 8 is not affected? Thank you, Jan
The packaging of curl in Fedora (and consequently in RHEL-7) was switched to the threaded DNS resolver 13 years ago: https://src.fedoraproject.org/rpms/curl/c/438cbdbe Thanks to this change, our curl packages are not affected by CVE-2023-28320.
Great, thanks for the confirmation, Kamil.
Any question for me? I was tagged in comment #6.
Marian, the tracker bugs for this CVE could be closed since RHEL is not affected. see: https://bugzilla.redhat.com/show_bug.cgi?id=2196783#c5
We now have the informat on the CVE page https://access.redhat.com/security/cve/CVE-2023-28320 reverted from the original "This vulnerability does not affect versions of the curl package as shipped with Red Hat Enterprise Linux 6,7,8 and 9." to RHEL 7 to 9 being listed as Affected ... but based on Kamil's feedback, that should not be the case. Can you please update the information on the CVE page, incorporating Kamil's justification? I don't really care about the internal trackers but much but those should likely be NOTABUGed as well.
Hello Marian, could you please check the status of those trackers and the CVE page, per comments above?
Sure, should be done now, thanks for the info!