<div dir="ltr"><div dir="ltr"> </div> <div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 15, 2022 at 11:47 PM Ruelo, Christine M. L. <<a href="mailto:christine.m.l.ruelo@accenture.com">christine.m.l.ruelo@accenture.com</a>> wrote: </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div lang="EN-US" style="overflow-wrap: break-word;"> <div class="gmail-m_-8192746300748028313WordSection1"> Hello libcurl4,curl Maintainers, Â Good day, We have used the libcurl4,curl package and perform a security scan using Palo Alto Network â€“ Prisma Cloud and these vulnerabilities below are reported.</div></div></blockquote><div> </div><div>Hi,</div><div>not sure which Ubuntu releases you scanned but all these were handled and fixed quite a while ago.</div><div>To help you find that information yourself for this and any other cases let me point you to USN [1].</div><div> </div><div>There you can enter your CVE numbers and will find which release was affected and in which package versions it got fixed.</div><div>If you want to do such checks automatically there is also oval data [2].</div><div> </div><div>If your scanners still report the issue you'll need to check that in detail, but form my personal experience in 9 out of 10 cases the problem is that they only perform "if version > X" which doesn't always work well for fixes backported to versions that are in Distributions (for example libcurl3-gnutls - 7.74.0-1ubuntu2 becomes libcurl3-gnutls - 7.74.0-1ubuntu2.1 due to the fix - but the scanner might just check > 7.75).</div><div> </div><div>[1]:Â <a href="https://ubuntu.com/security/notices">https://ubuntu.com/security/notices</a></div><div>[2]:Â <a href="https://ubuntu.com/security/oval">https://ubuntu.com/security/oval</a></div><div>Â </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US" style="overflow-wrap: break-word;"><div class="gmail-m_-8192746300748028313WordSection1"> We would like to report it and let us know once the fix is available so we can update accordingly. Â <table border="1" cellspacing="0" cellpadding="0" width="134" style="width:1.4in;border-collapse:collapse;border:none"> <tbody> <tr style="height:15.75pt"> <td width="134" nowrap valign="bottom" style="width:1.4in;border:1pt solid windowtext;padding:0in 5.4pt;height:15.75pt"> CVE-2021-22898 </td> </tr> <tr style="height:15.75pt"> <td width="134" nowrap valign="bottom" style="width:1.4in;border-right:1pt solid windowtext;border-bottom:1pt solid windowtext;border-left:1pt solid windowtext;border-top:none;padding:0in 5.4pt;height:15.75pt"> CVE-2021-22947 </td> </tr> <tr style="height:15.75pt"> <td width="134" nowrap valign="bottom" style="width:1.4in;border-right:1pt solid windowtext;border-bottom:1pt solid windowtext;border-left:1pt solid windowtext;border-top:none;padding:0in 5.4pt;height:15.75pt"> CVE-2021-22946 </td> </tr> <tr style="height:15.75pt"> <td width="134" nowrap valign="bottom" style="width:1.4in;border-right:1pt solid windowtext;border-bottom:1pt solid windowtext;border-left:1pt solid windowtext;border-top:none;padding:0in 5.4pt;height:15.75pt"> CVE-2021-22945 </td> </tr> <tr style="height:15.75pt"> <td width="134" nowrap valign="bottom" style="width:1.4in;border-right:1pt solid windowtext;border-bottom:1pt solid windowtext;border-left:1pt solid windowtext;border-top:none;padding:0in 5.4pt;height:15.75pt"> CVE-2021-22924 </td> </tr> </tbody> </table> Â Thank you Â Regards, <img width="210" height="19" style="width: 2.1875in; height: 0.1979in;" id="gmail-m_-8192746300748028313Picture_x0020_1" src="cid:1817fc982eb4cff311"> I CHRISTINE MAE RUELO I ATCP | Data + AI I Global One Eastwood I E: <a href="mailto:christine.m.l.ruelo@accenture.com" target="_blank">christine.m.l.ruelo@accenture.com</a> I M: +63 927 088 6796 Accenture Confidential PTO: Holiday: Training: Â </div> <hr> This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at <a href="https://www.accenture.com/us-en/privacy-policy" target="_blank">https://www.accenture.com/us-en/privacy-policy</a>. ______________________________________________________________________________________ <a href="http://www.accenture.com" target="_blank">www.accenture.com</a> </div> -- Ubuntu-devel-discuss mailing list <a href="mailto:Ubuntu-devel-discuss@lists.ubuntu.com" target="_blank">Ubuntu-devel-discuss@lists.ubuntu.com</a> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss" rel="noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss</a> </blockquote></div> <div> </div>-- <div dir="ltr" class="gmail_signature">Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd</div></div>