Mastodawn

daniel:// stenberg://Oct 4, 2023

Here's a canonical URL for the little info there is about the pending #curl security announcements: https://github.com/curl/curl/discussions/12026

Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11 · curl/curl · Discussion #12026

We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl securit...

GitHub

Show thread

Nico Oct 4, 2023

@bagder Feels like we're going to have to rebuild all the things depending on libcurl. BRB going to grab CPUs

Show thread

Daniel Gibson

@nico @bagder
only if you link it statically, otherwise you just need to update the libcurl.so or curl.dll or whatever

Show thread

stephen Oct 5, 2023

@Doomed_Daniel @nico @bagder Sure back in the old days you just updated the libraries. Now you need to rebuild all those container images. Or more likely hope and pray that base container is updated.

Show thread

Nico Oct 5, 2023

@Doomed_Daniel @bagder In the world of containers the .so is shipped as the build time version so we will to rebuild many containers. And even for the "FROM scratch" ones using go static binaries it will be necessary. Plus the fact that it will be harder to detect :/

Show thread

Daniel Gibson Oct 5, 2023

@nico @bagder
Does Go use curl? I always thought they implemented http etc themselves in their stdlib

Show thread

Nico Oct 6, 2023

@Doomed_Daniel @bagder Indeed, I got carried away :) That's one less thing to worry about :D