December 8, 2023

cURL: Information about the “worst vulnerability in a long time” will be available on October 11

The cURL toolkit is used in many projects for HTTP calls, API calls, and command line downloads. Now the project founder is announcing a security update for October 11, which sounds great.


When cURL creator Daniel Steinberg uses the phrase “fasten your seatbelts” to describe a security vulnerability, it doesn’t bode well. the Announcement from Al-Suwaidi regarding X It’s pretty clear: CVE-2023-38545 is “the worst security issue found in cURL in a long time.” Steinberg, a vocal critic of CVE and CVSS, uses his ad to take a quick look at the US vulnerability database. NVD will likely suffer a “complete nervous breakdown” due to the severity of the problem.

Teasing has a serious background. An uncontrollable number of devices and software, from DSL routers to PHP CMSs, use the “Swiss Knife of URLs,” so the attack surface is very large. So it’s not surprising that there’s one on GitHub Live discussion about security flaws He relaxed until Stenberg deactivated the suspension function.

cURL developers are currently withholding details. All that is known is that there are two vulnerabilities, CVE-2023-38545 (“high” severity in the way cURL is calculated) and CVE-2023-38546 (“low” severity).

According to Steinberg, all versions of cURL from “recent years” are affected by the bug. The bug-fixed cURL version released on October 11 at 06:00 UTC (08:00 CET) will have version number 8.4.0.

Only recently, a CVE has become a nuisance for the cURL project. Anonymous people posted a bug that the developers classified as non-security related and has long since been fixed with a critical severity.

See also  In the inner core of the Earth is another layer


To the home page