Security News > 2023 > October > Fresh curl tomorrow will patch 'worst' security flaw in ages

Fresh curl tomorrow will patch 'worst' security flaw in ages
2023-10-10 14:30

Start your patch engines - a new version of curl is due tomorrow that addresses a pair of flaws, one of which lead developer Daniel Stenberg describes as "Probably the worst curl security flaw in a long time."

Curl 8.4.0 will hit at around 0600 UTC on October 11 and deal with CVE-2023-38545, which affects both libcurl and the curl tool, and CVE-2023-38546, which only affects libcurl.

Curl is one of those tools that forms the backbone of the internet and is a command line file transfer tool.

Stenberg adopted the cURL name because "The word contains URL and already then the tool worked primarily with URLs, and I thought that it was fun to partly make it a real English word 'curl' but also that you could pronounce it 'see URL' as the tool would display the contents of a URL.".

An urgent fix is probably not the best 25th anniversary gift for the curl team, but here we are.

Curl, the URL fetcher that can, marks 25 years of transfers CLI-beautifying ANSI escape sequences can also make your log files a security threat OpenAI opens ChatGPT floodgates with dirt-cheap API Memory safety is the new black, fashionable and fit for any occasion.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/10/10/curl_patch_in_update/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-10-18 CVE-2023-38546 Unspecified vulnerability in Haxx Libcurl
This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers.
network
high complexity
haxx
3.7
3.7
2023-10-18 CVE-2023-38545 Out-of-bounds Write vulnerability in multiple products
This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only.
network
low complexity
haxx fedoraproject netapp microsoft CWE-787
critical
 9.8
9.8