Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update curl/libcurl to >= 8.10 to fix CVE-2024-8096, e.g. in php:zts-alpine tag #1543

Open
rgoltz opened this issue Oct 5, 2024 · 0 comments
Open

Update curl/libcurl to >= 8.10 to fix CVE-2024-8096, e.g. in php:zts-alpine tag #1543

rgoltz opened this issue Oct 5, 2024 · 0 comments

Comments

@rgoltz
Copy link

rgoltz commented Oct 5, 2024

Describe the issue

The most recent image tag for php:zts-alpine using an out-dated curl and libcurl version. This version is vulnerable against CVE-2024-8096. A fix is provided from curl project via version 8.10.0 (or higher). This version was released at 11 Sep 2024 containing the fix named "gtls: fix OCSP stapling Management" to resolve this CVE.

Details from Image-Scan
Vulnerability ID CVE-2024-8096 (GHSA-gv3v-x3f3-7fxm)
Docker Scout https://scout.docker.com/vulnerabilities/id/CVE-2024-8096
CVE with CVSS https://www.cve.org/CVERecord?id=CVE-2024-8096
CWE Type CWE-295: Improper Certificate Validation
Severity Medium
Fix available Yes
Installed version 8.9.1-r2
Fix available 8.10.0-r0
Package Manager OS

You can find this vulnerability on docker-hub as well:
image

Question/Request

The latest build of image-tag php:zts-alpine on docker-hub was push at 27 Sep 2024.

  • Is the image build regularly? (automatically or on request?)
  • By doing the next tag-update, the latest version of curl will included in the next (and the issue here is fixed by than?)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rgoltz