Critical vulnerability CVE-2024-5535 in alpine/openssl 3.1.5-r0 version packaged in curlimages/curl:8.8.0

[barkhachoithani]

Critical vulnerability CVE-2024-5535 is fixed in alpine/openssl version 3.1.6-r0 or higher.
Please see https://build.alpinelinux.org/buildlogs/build-3-19-s390x/main/openssl/openssl-3.1.6-r2.log https://security.snyk.io/vuln/SNYK-ALPINE319-OPENSSL-7413523

curl image should be updated with the latest/stable version of alpine/openssl.

[dfandrich]

The OpenSSL project considers this so low a priority that they're not even issuing a new release to fix it. Do you see this as particularly bad problem with curl?

[bagder]

Also, curl does not use the affected function so the mentioned OpenSSL CVE cannot be triggered by curl.

[barkhachoithani]

The OpenSSL project considers this so low a priority that they're not even issuing a new release to fix it. Do you see this as particularly bad problem with curl?

Yes, OpenSSL considers it as low however image scan results says it's critical.
https://scout.docker.com/vulnerabilities/id/CVE-2024-5535/
GHSA-4fc7-mvrr-wv2c.
alpine/openssl has a fix version.

[dfandrich]

If curl can't trigger the vulnerability then it's even less than low—it's zero.

[xquery]

for reasons explained above an out of band release is not needed in this case - this will get fixed when we do the next curl release.