Replies: 7 comments 19 replies
-
When there is a HIGH CVE security flaw, why then not release immediately after fix has been applied, but at a set date? (Now, exploit-hunters are aware that there is something and have 7 days notice in which they can focus intensely on curl to find the flaw and exploit it.) |
Beta Was this translation helpful? Give feedback.
-
Any guidance on which versions are vulnerable, so we can start planning what to upgrade? |
Beta Was this translation helpful? Give feedback.
-
I know you can't give any details before the fix is released but I assume from the way the post is phrased that you are not talking about a HIGH security flaw in some obscure protocol or similar corner of the code virtually nobody ever uses in a way that is exploitable but about something that would affect a significant percentage of the curl and libcurl user bases? |
Beta Was this translation helpful? Give feedback.
-
@bagder Might I ask if you think this would also affect pycurl, python-pycurl etc? Thanks in advance Conor |
Beta Was this translation helpful? Give feedback.
This comment was marked as disruptive content.
This comment was marked as disruptive content.
-
Thank you for the pre-alerting! At this stage can you disclose the affected versions range? It's just 8.* branch (given that you're going to release 8.4.0) or also 7.* or so may require additional patches? It would be helpful to better understand the impacted surface. |
Beta Was this translation helpful? Give feedback.
-
A lot of people are reading this thread or subscribe to it for real information updates, not suffering through troll comments. Therefore, it is now locked from further commenting. If you have additional questions/comments about the pending release and associated security vulnerabilities, contact me or start a separate discussion thread I have tried to move relevant information into the initial post to reduce the need to scroll through this page to find it. |
Beta Was this translation helpful? Give feedback.
-
The release, the CVEs, the advisories and associated blog posts are now all public. The post here is updated with some links. |
Beta Was this translation helpful? Give feedback.
-
We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl security flaw in a long time.
The new version and details about the two CVEs will be published around 06:00 UTC on the release day.
There is no API nor ABI change in the coming curl release.
I cannot disclose any information about which version range that is affected, as that would help identify the problem (area) with a very high accuracy so I cannot do that ahead of time. The "last several years" of versions is as specific as I can get.
We have notified the distros mailing list allowing the member distributions to prepare patches. (No one else gets details about these problems before October 11 without a support contract and a good reason.)
Now you know. Plan accordingly.
Bonus: How I made a heap overflow in curl
Beta Was this translation helpful? Give feedback.
All reactions