can you please be more specific as to which vulnerabilities are flagged ?
Assuming you are referring to the posit connect image, I can see that we have curl version
7.81.0-1ubuntu1.14 in the container which according to the changelog already provides fixes for CVE-2023-38545 and CVE-2023-38546. These fixes are not implemented by upgrading to 8.4.0 but instead the needed patches are being backported to curl 7.81.0 to keep the API/ABI consistent.
curl (7.81.0-1ubuntu1.14) jammy-security; urgency=medium
* SECURITY UPDATE: SOCKS5 heap buffer overflow
- debian/patches/CVE-2023-38545.patch: return error if hostname too
long for remote resolve in lib/socks.c, tests/data/Makefile.inc,
* SECURITY UPDATE: cookie injection with none file
- debian/patches/CVE-2023-38546.patch: remove unnecessary struct fields
in lib/cookie.c, lib/cookie.h, lib/easy.c.
You can check the curl changelog yourself by running
docker run -ti rstudio/rstudio-connect:jammy-2023.10.0 bash -c "apt-get update && apt-get changelog curl"
Please let me know if this addresses your concern.
In case there is additional CVE's in
curl beyond the ones mentioned, the version of
curl we use in the container at the moment is the latest available in Ubuntu 22.04 LTS (Jammy). As such, we (Posit) only will be able to apply another update to
curl once it is available for Ubuntu Jammy.
PS: Also please note that our containers (cf. Docker) of the most recent connect version are regularly rebuilt and the tag
jammy-2023.10.0 corresponds to different images with different OS package versions. If you are after full reproducibility, always choose the tags with the long name including the hex digits at the end - only those are fully reproducible from a
git pull perspective.