update: ncurses #1045
Labels
advisory/upstream-blocked
blocked by upstream projects
advisory
security advisory
cvss/HIGH
> 7 && < 9 assessed CVSS
security
security concerns
Comments
github-project-automation
bot
moved this to 📝 Needs Triage
in Flatcar tactical, release planning, and roadmap
dongsupark
moved this from 📝 Needs Triage
to 🪵Backlog
in Flatcar tactical, release planning, and roadmap
dongsupark
added
cvss/HIGH
2 tasks
github-project-automation
bot
moved this from 🪵Backlog
to Implemented
in Flatcar tactical, release planning, and roadmap
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Name: ncurses
CVEs: CVE-2023-29491
CVSSs: 7.8
Action Needed: update to >= 6.4_20230418
Summary: ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.
We need to have >= 6.4_20230418 because of a regression in 6.4_20230408. Due to that, especially in openrc, ncurses released snapshots _p20230415, _p20230418 and _p20230424. At least _p20230418 is known to fix the regresssions. However, Gentoo still masks all the snapshot versions.
refmap.gentoo: https://bugs.gentoo.org/904247
The text was updated successfully, but these errors were encountered: