Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Need help on how to upgrade the curl.exe and libcurl.dll file versions on Windows
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Feenberg via curl-users <curl-users_at_lists.haxx.se>
Date: Sat, 14 Sep 2024 12:05:30 -0400 (EDT)
On Fri, 13 Sep 2024, Jody Sherwin via curl-users wrote:
> Hello,
>
> During our monthly Nessus Security Vulnerability Scan we have received a
> few separate results on needing to upgrade the version of the [curl.exe]
> and the [libcurl.dll] files on a few Windows machines, which I had a few
> questions on this...
>
> I was wondering how do I go about these upgrades as it seems the files are
> installed in a few separate locations?
> ...
> If so, do I perhaps reach out to you guys on this, or is this something
> that the manufactures like HPE, Microsoft, SAP BusinessObjects, and the
> Shibboleth Support folks would assist on instead??
> ...
Fandrich has good advice, if indeed the vendors noted are willing to help.
If you are a small customer, they may not share your concerns and will
refuse to help. In that case I would look at how curl is being used. If
you only use it to contact sites known to be trustworthy, it would be
reasonable to leave things be. If you have constraints that require a
clean scan, try replacing the existing binaries with updated ones from the
curl website. Save the existing ones and do some testing. It is likely to
be fine.
You may find this of interest:
https://www.invicti.com/blog/web-security/why-curl-buffer-overflow-vulnerability-is-not-next-log4shell/
Daniel Feenberg
NBER
Date: Sat, 14 Sep 2024 12:05:30 -0400 (EDT)
On Fri, 13 Sep 2024, Jody Sherwin via curl-users wrote:
> Hello,
>
> During our monthly Nessus Security Vulnerability Scan we have received a
> few separate results on needing to upgrade the version of the [curl.exe]
> and the [libcurl.dll] files on a few Windows machines, which I had a few
> questions on this...
>
> I was wondering how do I go about these upgrades as it seems the files are
> installed in a few separate locations?
> ...
> If so, do I perhaps reach out to you guys on this, or is this something
> that the manufactures like HPE, Microsoft, SAP BusinessObjects, and the
> Shibboleth Support folks would assist on instead??
> ...
Fandrich has good advice, if indeed the vendors noted are willing to help.
If you are a small customer, they may not share your concerns and will
refuse to help. In that case I would look at how curl is being used. If
you only use it to contact sites known to be trustworthy, it would be
reasonable to leave things be. If you have constraints that require a
clean scan, try replacing the existing binaries with updated ones from the
curl website. Save the existing ones and do some testing. It is likely to
be fine.
You may find this of interest:
https://www.invicti.com/blog/web-security/why-curl-buffer-overflow-vulnerability-is-not-next-log4shell/
Daniel Feenberg
NBER
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-09-14