diff --git a/security/vuxml/attachment.cgi?id=244811 b/security/vuxml/attachment.cgi?id=244811 deleted file mode 100644 index 20c93ef1ae8f..000000000000 --- a/security/vuxml/attachment.cgi?id=244811 +++ /dev/null @@ -1,57 +0,0 @@ -From 7ea414f0f67c4e6e54d86d54fd639ff476d9af73 Mon Sep 17 00:00:00 2001 -From: Yasuhiro Kimura -Date: Thu, 14 Sep 2023 00:15:37 +0900 -Subject: [PATCH] security/vuxml: Document "eat all memory" vulnerability in - curl - ---- - security/vuxml/vuln/2023.xml | 36 ++++++++++++++++++++++++++++++++++++ - 1 file changed, 36 insertions(+) - -diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml -index eb3c8fd68d81..862e66ee01b6 100644 ---- a/security/vuxml/vuln/2023.xml -+++ b/security/vuxml/vuln/2023.xml -@@ -1,3 +1,39 @@ -+ -+ curl -- HTTP headers eat all memory -+ -+ -+ curl -+ 8.3.0 -+ -+ -+ -+ -+

selmelc on hackerone reports:

-+
-+ When curl retrieves an HTTP response, it stores the -+ incoming headers so that they can be accessed later via -+ the libcurl headers API. -+
-+
-+ However, curl did not have a limit in how many or how -+ large headers it would accept in a response, allowing a -+ malicious server to stream an endless series of headers -+ and eventually cause curl to run out of heap memory. -+
-+

-+ -+ -+ -+ CVE-2023-38039 -+ https://curl.se/docs/CVE-2023-38039.html HERE -+ -+ -+ 2023-09-13 -+ 2023-09-13 -+ -+ -+ - - Roundcube -- XSS vulnerability - --- -2.42.0 -