Idle LiftingOct 5, 2023
daniel:// stenberg://
Here's a canonical URL for the little info there is about the pending #curl security announcements: https://github.com/curl/curl/discussions/12026
Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11 · curl/curl · Discussion #12026

We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl securit...

GitHub
Oct 4, 2023 at 1:44pmWeb
Show threaddaniel:// stenberg://Oct 5, 2023
now locked from further comments...
Show threadGustav WengelOct 5, 2023
@bagder Good luck with the rollout! Seems like it's being handled well from your side.
Show threadOndřej KolínOct 5, 2023
@bagder There is one guy asking about access to the patches for his company internal distro, before they get released. Isn't the paid support for that?
Show threaddaniel:// stenberg://Oct 5, 2023
@ondrejkolin yes exactly
Show threadMicroBlog CastellanoOct 4, 2023
@bagder what about curl client included in Windows? Is it affected?
Show threaddaniel:// stenberg://Oct 4, 2023
@microblogc that's the extent of what I intend to "leak" about these problems ahead of time.
Show threadNicoOct 4, 2023
@bagder Feels like we're going to have to rebuild all the things depending on libcurl. BRB going to grab CPUs
Show threadDaniel GibsonOct 4, 2023
@nico @bagder
only if you link it statically, otherwise you just need to update the libcurl.so or curl.dll or whatever
Show threadstephenOct 5, 2023
@Doomed_Daniel @nico @bagder Sure back in the old days you just updated the libraries. Now you need to rebuild all those container images. Or more likely hope and pray that base container is updated.
Show threadNicoOct 5, 2023
@Doomed_Daniel @bagder In the world of containers the .so is shipped as the build time version so we will to rebuild many containers. And even for the "FROM scratch" ones using go static binaries it will be necessary. Plus the fact that it will be harder to detect :/
Show threadDaniel GibsonOct 5, 2023
@nico @bagder
Does Go use curl? I always thought they implemented http etc themselves in their stdlib
Show threadNicoOct 6, 2023
@Doomed_Daniel @bagder Indeed, I got carried away :) That's one less thing to worry about :D
Show threadDaniel BöhmerOct 5, 2023

@bagder I think an entry on https://curl.se/news.html should notify about the upcoming important release.

I originally went there to find out at which time on October the fix will be released. Can you at least name a time window?

#curl

curl - News!

Show threaddaniel:// stenberg://Oct 5, 2023
@dboehmer will do. In the mean time, check out https://github.com/curl/curl/discussions/12026
Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11 · curl/curl · Discussion #12026

We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl securit...

GitHub
Show threadLuke Waite 🇨🇦 Oct 5, 2023

@bagder followed that last night to get notified when more info landed and woke up to… a wall of nonsense emails.

Sorry you’re dealing with it all.

Any chance you’d consider locking the thread?

Show threaddaniel:// stenberg://Oct 5, 2023
@lukewaite I think a few of the questions that popped in have been relevant, and added value but yes I will lock the thread soon
Show threadLuke Waite 🇨🇦 Oct 5, 2023

@bagder Fair. I was overlooking those by the time I made it to the bottom of the list.  

Thank you!

Show threadAdevOct 5, 2023

@bagder

Thx Daniel for the hard work.

Do not let the "Use memory safe language" crowd put you down, curl is an amazing project.

And most of them have no clue of what they are talking about anyway.

Show threadErik Nygren Oct 6, 2023

@bagder I keep reading:

"cue curl cve"

and likes how it looks visually... Would make a good graphic, not that you want to use it regularly. :)