Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable to CVE-2024-25110? #380

Closed
carnil opened this issue Feb 16, 2024 · 5 comments
Closed

Vulnerable to CVE-2024-25110? #380

carnil opened this issue Feb 16, 2024 · 5 comments
Assignees
@kashifkhan

Comments

@carnil
Copy link

carnil commented Feb 16, 2024

Hi

TTBOMK the embedded azure-uamqp- copy does not contain the fixes for CVE-2024-25110 (see: GHSA-c646-4whf-r67v).

Changes: Azure/azure-uamqp-c@30865c9

is this correct?
@risicle
Copy link

risicle commented Mar 3, 2024
edited
Loading

Add to this CVE-2024-27099

@risicle risicle mentioned this issue Mar 3, 2024
Merged
13 tasks
@glaubitz glaubitz mentioned this issue Mar 4, 2024
Open
@kashifkhan
Copy link
Member

Hi @carnil and @risicle .. Ill be putting out an update with the fix for this shortly. Ill update this thread once it hit pypi

@kashifkhan
Copy link
Member

Ive gone ahead and pushed out a new update to pypi

@kashifkhan kashifkhan self-assigned this Mar 20, 2024
@mr-c
Copy link

mr-c commented Mar 20, 2024

Thank you @kashifkhan ;

Isn't Azure/azure-uamqp-c@2ca42b6 also needed?
In Debian, we applied that for CVE-2024-27099 (though I still don't have a way of testing to see if the vulnerability associated with the CVEs is still present)

Specifically

--- azure-uamqp-python.orig/src/vendor/azure-uamqp-c/src/link.c                 
+++ azure-uamqp-python/src/vendor/azure-uamqp-c/src/link.c                      
@@ -413,9 +413,9 @@                                                             
                     }                                                          
                 }                                                              
             }                                                                  
-        }                                                                      
                                                                                
-        flow_destroy(flow_handle);                                             
+            flow_destroy(flow_handle);                                         
+        }                                                                      
     }                                                                          
     else if (is_transfer_type_by_descriptor(descriptor))                       
     {

@kashifkhan
Copy link
Member

I'm not sure @mr-c , but Ill work on getting that added in as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kashifkhan kashifkhan

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kashifkhan @carnil @risicle @mr-c