Curl CVE-2024-7264 vulnerability

Atempo teams are aware of this CVE which impacts the currently used curl version (8.6.0) in our products.

Atempo teams have completed the verifications, and were able to conclude that Atempo products are not impacted by this vulnerability.

This vulnerability affects curl only when it is built to use several TLS backends. Atempo builds curl with an unaffected TLS backend: openssl 3.0.

More details: https://curl.se/docs/CVE-2024-7264.html

Extract from curl page above:

AFFECTED VERSIONS
The vulnerable code can only be reached when curl is built to use GnuTLS, Schannel, Secure Transport or mbedTLS. Builds using other TLS backends are not vulnerable.
Affected versions: curl 7.32.0 to and including 8.9.0
Not affected versions: curl < 7.32.0 and >= 8.9.1
Introduced-in: https://github.com/curl/curl/commit/3a24cb7bc45
libcurl is used by many applications, but not always advertised as such!
This parser bug was actually introduced in curl 7.32.0 but was then used only by the GSKit TLS backend which is no longer supported. The functionality was later brought to other TLS backends in different versions, so this bug affects curl built with different backends starting in different versions:
GnuTLS since 7.42.0
Schannel since 7.50.0
Secure Transport since 7.79.0
mbedTLS since 8.9.0