If you haven't or are still waiting for the updated libcurl package, now would be a good time to think about all of the software on your system which uses libcurl. Note: docker images, statically compiled binaries, and Electron apps probably contain their own copies of libcurl.
Debian
postmodernapt-cache rdepends --installed libcurl4
Redhat
rpm -q --whatrequires curl libcurl-minimal
Need to check curl patch status across many distros?
General curl pre-announcement resources
(* = stated or likely living / "to be updated" reference):
Official list of all curl CVEs*:
https://curl.se/docs/security.html
Official running changelog*:
https://curl.se/changes.html
Initial Mastodon post:
https://mastodon.social/@bagder/111167662713737288
Corresponding wolfSSL post (Stenberg works for them):
https://www.wolfssl.com/severity-high-security-problem-to-be-announced-with-curl-8-4-0-on-oct-11/
NVD links (pending)*:
https://nvd.nist.gov/vuln/detail/CVE-2023-38545
https://nvd.nist.gov/vuln/detail/CVE-2023-38546
MITR links (pending)*:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38546
Tenable post*:
https://www.tenable.com/blog/cve-2023-38545-cve-2023-38546-frequently-asked-questions-for-new-vulnerabilities-in-curl
Defender Cloud blog post*:
https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/high-severity-curl-vulnerability-prepare-with-microsoft-defender/ba-p/3950812
.. and KQL:
https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Vulnerability%20Management/Curl-CVE-2023-38545.md
Qualys detection howto*:
https://blog.qualys.com/vulnerabilities-threat-research/2023/10/05/curl-8-4-0-proactively-identifying-potential-vulnerable-assets
Docker pre-announcement*:
https://www.docker.com/blog/security-advisory-high-severity-curl-vulnerability/
BigFix forum thread*:
https://forum.bigfix.com/t/curl-8-4-0-cve-2023-38545-cve-2023-38546/46569/3
Snyk post*:
https://security.snyk.io/vuln/SNYK-UNMANAGED-CURL-5931782
Section 1: Post-announcement
Announced! 05:57 UTC October 11, 2023
The "High" (CVE-2023-38545) is a heap buffer overflow triggered by long hostnames, only in play when SOCKS5 proxying is enabled (or induced).
Vuln announcement:
https://curl.se/docs/CVE-2023-38545.html
Blog post:
https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
Affected versions: libcurl 7.69.0 (March 4, 2020) up to and including 8.3.0
Unaffected versions: libcurl < 7.69.0 and >= 8.4.0
Bug commit:
https://github.com/curl/curl/commit/4a4b63daaa
Fix commit:
https://github.com/curl/curl/commit/fb4415d8aee6c1
Mitigations: patch, or avoid SOCKS5. See official announcement for specifics. May be partially mitigated already on modern systems with ASLR.
Privilege escalation: It's not yet clear how hard it might be to chain other vulnerabilities to deliberately invoke curl or libcurl with SOCKS5 enabled.
Official general release video:
https://youtu.be/-j-_nKmq2aE
PoC with good commentary (@harrysintonen):
https://infosec.exchange/@harrysintonen/111214844467791428
Also from Harry: analysis of why it evaded static analysis tools:
https://infosec.exchange/@harrysintonen/111215792389706345
Plausible exploitation scenario: using Tor (which uses SOCKS5 natively) [6]
Check package update status across many distros:
https://repology.org/project/curl/versions
The discover is Jay Satiro. Maybe only a coincidence, but like many pioneers of the security industry, if this is the same Jay Satiro, he may have had a young hacker past:
https://www.deseret.com/1999/12/26/19482388/hacker-gets-year-in-jail-no-computer
John Hammond describes using this simple Python SOCKS proxy as an easy way to tinker:
https://github.com/MisterDaneel/pysoxy
Useful coverage:
Section 2: Pre-announcement leak
A leaked CentOS Stream patch for CVE-2023-38545 [1]:
... says:
"[PATCH] socks: return error if hostname too long for remote resolve
Prior to this change the state machine attempted to change the remote resolve to a local resolve if the hostname was longer than 255 characters. Unfortunately that did not work as intended and caused a security issue."
John Hammond tweet thread about the CentOS SOCKS patch:
https://twitter.com/_JohnHammond/status/1711913166165463220 [3]
MalwareJake SOCKS speculation:
https://twitter.com/MalwareJake/status/1711922431068090721
Section 3: Pre-announcement
Stenberg's summary post:
https://github.com/curl/curl/discussions/12026
... has these summaries:
CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool)
Announce page:
https://curl.se/docs/CVE-2023-38545.html
Official blog post:
https://daniel.haxx.se/blog/2023/10/11/how-i-made-a-heap-overflow-in-curl/
oss-security post:
https://www.openwall.com/lists/oss-security/2023/10/11/1
CVE-2023-38546: severity LOW (affects libcurl only, not the tool)
Announce page:
https://curl.se/docs/CVE-2023-38546.html
Affected versions: libcurl 7.9.1 (November 2001) up to and including 8.3.0
For CVE-2023-38545, "HIGH" was chosen deliberately. Quoting Stenberg: [2]
'Remember: it is "just" a HIGH severity flaw, not a the-sky-is-falling severity flaw.'
One of the vulns is over 8000 days old [4] (confirmed - see above)
Appendix
See also general refs:
https://infosec.exchange/@tychotithonus/111214037492190911
Non-trivially updated:
Wed Oct 11 15:45:40 UTC 2023
Royce Williams
Taggart 
