+
+
+

ALAS2023-2023-368

+
+ +
+
+ + Amazon Linux 2023 Security Advisory: ALAS-2023-368 +
+ Advisory Release Date: 2023-09-27 21:06 Pacific
+ Advisory Updated Date: 2023-10-03 20:50 Pacific
+ +
+ Severity: + + + + + + Important
+
+ + + +
+
+ Issue Overview: +

HTTP headers eat all memory

NOTE: https://www.openwall.com/lists/oss-security/2023/09/13/1
NOTE: https://curl.se/docs/CVE-2023-38039.html
NOTE: Introduced by: https://github.com/curl/curl/commit/7c8c723682d524ac9580b9ca3b71419163cb5660 (curl-7_83_0)
NOTE: Experimental tag removed in: https://github.com/curl/curl/commit/4d94fac9f0d1dd02b8308291e4c47651142dc28b (curl-7_84_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770 (curl-8_3_0) (CVE-2023-38039)

+
+ +
+
+ Affected Packages: +
+

curl

+
+ + +
+
+ Issue Correction: +
Run dnf update curl --releasever 2023.2.20231002 to update your system.
+
+
+ New Packages:
aarch64:
    libcurl-debuginfo-8.3.0-1.amzn2023.0.1.aarch64
    java-1.8.0-amazon-corretto-1.8.0_402.b08-1.amzn2023.aarch64
    libcurl-minimal-debuginfo-8.3.0-1.amzn2023.0.1.aarch64
    curl-8.3.0-1.amzn2023.0.1.aarch64
    curl-minimal-8.3.0-1.amzn2023.0.1.aarch64
    curl-debuginfo-8.3.0-1.amzn2023.0.1.aarch64
    curl-minimal-debuginfo-8.3.0-1.amzn2023.0.1.aarch64
    curl-debugsource-8.3.0-1.amzn2023.0.1.aarch64
    libcurl-minimal-8.3.0-1.amzn2023.0.1.aarch64
    libcurl-8.3.0-1.amzn2023.0.1.aarch64
    libcurl-devel-8.3.0-1.amzn2023.0.1.aarch64

src:
    curl-8.3.0-1.amzn2023.0.1.src

x86_64:
    curl-minimal-debuginfo-8.3.0-1.amzn2023.0.1.x86_64
    curl-debuginfo-8.3.0-1.amzn2023.0.1.x86_64
    libcurl-minimal-8.3.0-1.amzn2023.0.1.x86_64
    curl-minimal-8.3.0-1.amzn2023.0.1.x86_64
    curl-debugsource-8.3.0-1.amzn2023.0.1.x86_64
    libcurl-debuginfo-8.3.0-1.amzn2023.0.1.x86_64
    curl-8.3.0-1.amzn2023.0.1.x86_64
    libcurl-minimal-debuginfo-8.3.0-1.amzn2023.0.1.x86_64
    libcurl-8.3.0-1.amzn2023.0.1.x86_64
    libcurl-devel-8.3.0-1.amzn2023.0.1.x86_64
    kernel-debuginfo-common-i686-4.14.336-180.562.amzn1.i686
+
+` + +func TestParseAlasPage(t *testing.T) { + expectedLen := 12 + expectedVersions := map[string]string{ + "libcurl-debuginfo": "8.3.0-1.amzn2023.0.1", + "java-1.8.0-amazon-corretto": "1.8.0_402.b08-1.amzn2023", + "libcurl-minimal-debuginfo": "8.3.0-1.amzn2023.0.1", + "curl": "8.3.0-1.amzn2023.0.1", + "curl-minimal": "8.3.0-1.amzn2023.0.1", + "curl-debuginfo": "8.3.0-1.amzn2023.0.1", + "curl-minimal-debuginfo": "8.3.0-1.amzn2023.0.1", + "curl-debugsource": "8.3.0-1.amzn2023.0.1", + "libcurl-minimal": "8.3.0-1.amzn2023.0.1", + "libcurl": "8.3.0-1.amzn2023.0.1", + "libcurl-devel": "8.3.0-1.amzn2023.0.1", + "kernel-debuginfo-common-i686": "4.14.336-180.562.amzn1", + } + plain := html2text.HTML2Text(string(htmlBody)) + _, vers, err := parseAlasPage("ALAS-2023-368", htmlBody, plain) + if err != nil { + t.Errorf("Error during parseAlasPage:%v\n", err) + } + + //check length of version map + if len(vers) != expectedLen { + t.Errorf("Expected length of parseAlasPage:%v , returned length:%v\n", expectedLen, len(vers)) + } + //Check contents of version map + for key, value := range expectedVersions { + val, ok := vers[key] + if ok { + if val != value { + t.Errorf("parseAlasPage vers key:%s, value:%s, does not match expected value:%s,\n", key, val, value) + } + } else { + t.Errorf("Missing key in vers from parseAlasPage:%s\n", key) + } + } +}