Opened 6 months ago
Last modified 6 months ago
#841 closed defect
Vulnerable Curl.exe v8.6.0 exists in OSGeo4W install — at Initial Version
| Reported by: | ascottwwf | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | Package |
| Version: | Keywords: | ||
| Cc: |
Description
Hello,
I have noticed that the OSGeo4W_v2 installer (Which we use to install QGIS LTR) contains version 8.6.0 of curl.exe (located in \OSGeo4W\bin folder)
This version of curl is vulnerable to 2 medium and 2 low severity CVEs (CVE-2024-2466, CVE-2024-2398, CVE-2024-2379 and CVE-2024-2004) see: https://curl.se/docs/vulnerabilities.html. These have all been fixed since version v8.7.0. N.B. v8.8.0 is currently the latest release (Changelog: https://curl.se/changes.html)
Please could you update the OSGeov2 Installer to include the latest release of Curl to remove these current CVEs.
Thanks in advance Adrian Scott
Note:
See TracTickets
for help on using tickets.
