Curl Library to Receive Security Patch on October 11: The maintainers of the Curl Library have issued a crucial advisory regarding two security vulnerabilities set to be addressed in an upcoming update scheduled for release on October 11, 2023.
Key Takeaways to Curl Library to Receive Security Patch on October 11:
- Security Alert: The Curl library is addressing two vulnerabilities (CVE-2023-38545 and CVE-2023-38546) in an update on October 11, 2023.
- Severity Levels: These vulnerabilities include a high-severity and a low-severity flaw, with specific version details currently undisclosed.
- Impact Assessment: Organizations using Curl and libcurl are advised to scan their systems for potentially vulnerable versions post-update release.
Security Patch Arriving on October 11
The maintainers of the Curl Library have issued an advisory warning about two security vulnerabilities set to be resolved in an update to be released on October 11, 2023.
These vulnerabilities tracked as CVE-2023-38545 (high severity) and CVE-2023-38546 (low severity), are expected to be addressed in this important update.
Vulnerability Details
The specifics of the vulnerabilities and the exact version ranges affected are currently undisclosed. This decision is made to prevent potential misuse of the information that could aid in identifying the problems.
However, it is important to note that these vulnerabilities have the potential to impact versions of the Curl library from the “last several years.”
Developer’s Perspective
Daniel Stenberg, the lead developer behind the Curl library project, emphasized the low risk of these vulnerabilities being exploited before the patch’s release.
He mentioned, “Sure, there is a minuscule risk that someone can find this (again) before we ship the patch, but this issue has stayed undetected for years for a reason.”
About Curl and libcurl
Curl, powered by libcurl, is a widely-used command-line tool for transferring data using URL syntax. It supports various protocols, including FTP(S), HTTP(S), IMAP(S), LDAP(S), MQTT, POP3, RTMP(S), SCP, SFTP, SMB(S), SMTP(S), TELNET, WS, and WSS.
CVE-2023-38545 and CVE-2023-38546
While CVE-2023-38545 impacts both libcurl and Curl, CVE-2023-38546 affects only libcurl. Specific version range details have not been disclosed to prevent pre-release problem identification.
These vulnerabilities are expected to be fixed in curl version 8.4.0, as stated by Saeed Abbasi, product manager at Qualys Threat Research Unit (TRU).
Recommendations for Organizations
Organizations are strongly advised to inventory and scan all systems using Curl and libcurl, anticipating the identification of potentially vulnerable versions once detailed information is disclosed with the release of Curl 8.4.0 on October 11.
Conclusion
The security of the Curl library is being bolstered with the upcoming release of version 8.4.0, addressing the vulnerabilities CVE-2023-38545 and CVE-2023-38546. Organizations must stay vigilant and act swiftly to secure their systems once the patch becomes available on October 11, 2023.
About Curl Library: The Curl Library is maintained by a dedicated team of developers who continuously work to enhance its security and functionality. For more information about the project and updates, visit the official Curl website.
