Skip to content

upgrade libcurl for security vulnerabilities. #2357

New issue
New issue
Closed
#2358
Closed
upgrade libcurl for security vulnerabilities.#2357
#2358
Assignees
marcalff
Labels
CVECommon Vulnerabilities and ExposuresbugSomething isn't workingsecurity
@lalitb

Description

@lalitb
lalitb
opened on Oct 11, 2023

Upgrade bazel build to use the latest libcurl version v8.4.0 (to be released on Oct 11, 2023) for below two security vulnerabilities:

CVE-2023-38545, a high severity flaw that affects both the libcurl library and the curl tool, and
CVE-2023-38546, a low severity bug that only affects libcurl.

Release announcement: curl/curl#12026

Changes required:
bazel: upgrade version here -

opentelemetry-cpp/bazel/repository.bzl

Line 151 in 18a27df

"https://curl.haxx.se/download/curl-7.73.0.tar.gz",

For CMake, we don't use sticky version for libcurl, and rely on package manager (apt-get, vcpkg) so hopefully no changes be required.

Thanks @ThomsonTan for bringing this up. Please add if I missed something.

Metadata

Metadata

Assignees

Labels

CVECommon Vulnerabilities and ExposuresbugSomething isn't workingsecurity

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions