ALAS2-2019-1233

Affecting curl package, versions <7.61.1-11.amzn2.0.2

Report new vulnerabilities
low severity
Do your applications use this vulnerable package? Test your applications

NVD Description

Note: Versions mentioned in the description apply to the upstream curl package. See Remediation section below for Amzn:2 relevant versions.

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-5436: A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1. 1710620: CVE-2019-5436 curl: TFTP receive heap buffer overflow in tftp_receive_packet() function CVE-2019-5435: An integer overflow in curl&#039;s URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1. 1710609: CVE-2019-5435 curl: Integer overflows in curl_url_set() function

Remediation

Upgrade Amzn:2 curl to version 7.61.1-11.amzn2.0.2 or higher.

References

CVE
ALAS2-2019-1233
Snyk ID
SNYK-AMZN2-CURL-506926
Published
13 Nov, 2019