Security patch for two new Curl library flaws coming October 11 | spcilvly


October 9, 2023newsroomSoftware security/vulnerability

Curl Library

The maintainers of the Curl library have published a warning about two security vulnerabilities that are expected to be fixed as part of an upcoming update that will be released on October 11, 2023.

This includes a high and low severity flaw tracked with identifiers CVE-2023-38545 and CVE-2023-38546, respectively.

Additional details about the issues and exact ranges of affected versions have been withheld due to the possibility that the information could be used to “help identify the issue (area) with very high precision.”

That said, versions from the “last few years” of the library are said to be affected.

“Sure, there’s a minuscule risk that someone could find this (again) before we ship the patch, but this issue has gone undetected for years for a reason,” said Daniel Stenberg, the lead developer behind the project, in a published message. on GitHub.

Curl, developed by libcurl, is a popular command-line tool for transferring data specified with URL syntax. Supports a wide range of protocols such as FTP(S), HTTP(S), IMAP(S), LDAP(S), MQTT, POP3, RTMP(S), SCP, SFTP, SMB(S), SMTP(S), TELNET, WS and WSS.

Cyber ​​security

While 2023-38545 affects both libcurl and curl, CVE-2023-38546 affects only libcurl.

“As the specific details of the version range have not been revealed to avoid the identification of pre-release issues, the vulnerabilities will be fixed in curl version 8.4.0,” said Saeed Abbasi, product manager of the Threat Research Unit. from Qualys (TRU).

“Organizations should urgently inventory and scan all systems using curl and libcurl, anticipating the identification of potentially vulnerable versions once details are revealed with the release of Curl 8.4.0 on October 11.”

Did you find this article interesting? Follow us Twitter and LinkedIn to read more exclusive content we publish.




Leave a Reply

Your email address will not be published. Required fields are marked *