Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: CVE-2023-23914 and CVE-2022-43551 is reported on curl 7.50
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 12 Jun 2023 14:02:46 +0200 (CEST)
On Mon, 12 Jun 2023, Syedhafeez, Nikhath via curl-library wrote:
> CVE-2023-23914 and CVE-2022-43551 is reported on curl 7.50 (
> 7.74.0-1.3+deb11u7) , any plans to remediate this issue??
We, as the curl project, fix all security issues at the day they are made
public. We fix them by releasing new fixed versions and we provide patches for
them. We do not patch older versions as we do not particularly support
anything but the latest version. I would urge you to buy curl support to get
that.
If you use a Linux distribution, you get your updates from the distribution
and you should rather send them this quetion.
However, I think your statement has some additional confusing components:
> curl 7.50 (7.74.0-1.3+deb11u7)
Is it 7.50 or is it 7.74.0 ?
> CVE-2023-23914 and CVE-2022-43551 is reported on curl 7.50
I took a look at what we claim about these two issues:
https://curl.se/docs/CVE-2023-23914.html
https://curl.se/docs/CVE-2022-43551.html
Both very clearly state that the first affected version was 7.77.0. The last
affected version is 7.87.0 in the first case and 7.86.0 in the second.
So, neither 7.50 nor 7.74.0 are affected by these flaws.
Date: Mon, 12 Jun 2023 14:02:46 +0200 (CEST)
On Mon, 12 Jun 2023, Syedhafeez, Nikhath via curl-library wrote:
> CVE-2023-23914 and CVE-2022-43551 is reported on curl 7.50 (
> 7.74.0-1.3+deb11u7) , any plans to remediate this issue??
We, as the curl project, fix all security issues at the day they are made
public. We fix them by releasing new fixed versions and we provide patches for
them. We do not patch older versions as we do not particularly support
anything but the latest version. I would urge you to buy curl support to get
that.
If you use a Linux distribution, you get your updates from the distribution
and you should rather send them this quetion.
However, I think your statement has some additional confusing components:
> curl 7.50 (7.74.0-1.3+deb11u7)
Is it 7.50 or is it 7.74.0 ?
> CVE-2023-23914 and CVE-2022-43551 is reported on curl 7.50
I took a look at what we claim about these two issues:
https://curl.se/docs/CVE-2023-23914.html
https://curl.se/docs/CVE-2022-43551.html
Both very clearly state that the first affected version was 7.77.0. The last
affected version is 7.87.0 in the first case and 7.86.0 in the second.
So, neither 7.50 nor 7.74.0 are affected by these flaws.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-06-12