Curl 8.4 on AL2023

[prian2686]

Problem: As part of Aqua scan it's complaining about the base image having curl 8.3 and the recommendation is to update to 8.4.
CVE: CVE-2023-38545 - is the vulnerability.
We are running 17-al2023-headless.
i've tried 'Run dnf update curl --releasever 2023.2.20231011' however the issue is still persistent.
any suggestion? Is there a plan for amazon to send a release a curl 8.4 update?

[danie-dejager]

The fixes needed to resolve CVE-2023-38545 was worked into AL2023's curl on version 8.3. A lot of work is put into keeping a enterprise linux distro stable. Software versions are often the same for a specific distro release, with fixes from newer versions upstream being added into the current release.
That's why the version is curl-minimal-8.3.0-1.amzn2023.0.2.aarch64. The 0.2 denotes the version in which the vulnerability in SOCKS5 was fixed. Your version might be 8.3.0 but the software is no longer the same as when it was initially released by the developers of curl.
https://alas.aws.amazon.com/AL2023/ALAS-2023-377.html

In enterprise computing, you don't need the latest, you need the safest.

[prian2686]

thanks for the reply @daniejstriata
i did attempt that patch. however, Aqua scans it and detects it as a vulnerability and informs me that the patch is in 8.4

[stewartsmith]

Probably best to contact Aqua and ask them to fix their scanner. It sounds like they're not looking at the metadata we make available on what CVEs are fixed in what package versions.