ISN 2023-23: Curl Vulnerability

Updated 2 November 2023 (OS 12.2.1 available)

First published 12 October 2023

CVSS 3.1: 7.5 (High)

CVSS:3.1: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

A vulnerability has been found in the Curl package, which is used in IGEL OS. This affects the following IGEL products:

IGEL OS 12
IGEL OS 11

Details

A heap-based buffer overflow was found in the SOCKS5 proxy handshake in the Curl package. This vulnerability rated high is being tracked with CVE-2023-38545. In the updated packages they also resolved a low severity vulnerability for libcurl which is tracked with CVE-2023-38546. These vulnerabilities were responsibly disclosed to the Curl maintainers and there is no evidence of it being exploited before.

Update Instructions

OS 12: Update to IGEL OS 12.2.1 or newer.
OS 11: Update to IGEL OS 11.09.110 or newer.

References

Curl security advisory: https://curl.se/docs/CVE-2023-38545.html
Details of disclosure: https://hackerone.com/reports/2187833

Download PDF

ISN 2023-23: Curl Vulnerability

Summary

Details

Update Instructions

References

Cookie Notice