October 10, 2023 at 10:33AM
Curl version 8.4.0 is set to be released tomorrow, addressing two security flaws. One of the flaws is considered the worst security flaw in curl in a long time. The update will address CVE-2023-38545, affecting both libcurl and the curl tool, and CVE-2023-38546, affecting libcurl only. The update does not have any API or ABI changes. The details of the flaws have not been disclosed, but it is recommended to install the patched packages as soon as possible.
Key takeaways from the meeting notes:
1. A new version of curl, version 8.4.0, is going to be released tomorrow to address two security flaws: CVE-2023-38545, which affects both libcurl and the curl tool, and CVE-2023-38546, which only affects libcurl.
2. The release of curl 8.4.0 will happen at approximately 0600 UTC on October 11.
3. There are no API or ABI changes in the new version, so the update should be relatively smooth.
4. The severity of CVE-2023-38545 is high, but no specific details about the flaws have been disclosed yet.
5. Curl is a widely used tool that is an integral part of the internet infrastructure, with billions of installations and daily usage by almost every internet user.
6. Curl’s history dates back to 1998, and it is primarily known as a command line file transfer tool.
7. While the vulnerability in curl is concerning, it is not on the same scale as Log4j and should be managed through regular operating system updates.
8. The most vulnerable attack surface to watch for is docker base images that are not receiving updates and have applications leveraging the vulnerable libcurl.
9. It is important to install the patched packages for curl without panicking, and to consider containers that may also contain operating systems for updates.
10. Executives and teams are advised to plan accordingly for the release and ensure timely installation of the updated version.
Full Article – https://ift.tt/iIOc7Ev