Article Details

Security Patch for Two New Flaws in Curl Library Arriving on October 11. The maintainers of the Curl library have released an advisory warning of two forthcoming security vulnerabilities that are expected to be addressed as part of updates released on October 11, 2023. This includes a high severity and a low-severity flaw tracked under the identifiers CVE-2023-38545 and CVE-2023-38546, respectively. Additional details about the issues and the exact version ranges impacted have been withheld owing to the possibility that the information could be used to "help identify the problem (area) with a very high accuracy." That said, the "last several years" of versions of the library are said to be affected. "Sure, there is a minuscule risk that someone can find this (again) before we ship the patch, but this issue has stayed undetected for years for a reason," Daniel Stenberg, the lead developer behind the project, said in a message posted on GitHub. Curl, powered by libcurl, is a popular command-line tool for transferring data specified with URL syntax. It supports a wide range of protocols such as FTP(S), HTTP(S), IMAP(S), LDAP(S), MQTT, POP3, RTMP(S), SCP, SFTP, SMB(S), SMTP(S), TELNET, WS, and WSS. While 2023-38545 impacts both libcurl and curl, CVE-2023-38546 affects only libcurl. "With specific version range details undisclosed to prevent pre-release problem identification, the vulnerabilities will be fixed in curl version 8.4.0," Saeed Abbasi, product manager at Qualys Threat Research Unit (TRU), said. "Organizations should urgently inventory and scan all systems utilizing curl and libcurl, anticipating identifying potentially vulnerable versions once details are disclosed with the release of Curl 8.4.0 on October 11."