curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: CVE-2023-23914 and CVE-2022-43551 is reported on curl 7.50

From: Daniel Stenberg via curl-library <>
Date: Mon, 12 Jun 2023 14:02:46 +0200 (CEST)

On Mon, 12 Jun 2023, Syedhafeez, Nikhath via curl-library wrote:

> CVE-2023-23914 and CVE-2022-43551 is reported on curl 7.50 (
> 7.74.0-1.3+deb11u7) , any plans to remediate this issue??

We, as the curl project, fix all security issues at the day they are made
public. We fix them by releasing new fixed versions and we provide patches for
them. We do not patch older versions as we do not particularly support
anything but the latest version. I would urge you to buy curl support to get

If you use a Linux distribution, you get your updates from the distribution
and you should rather send them this quetion.

However, I think your statement has some additional confusing components:

> curl 7.50 (7.74.0-1.3+deb11u7)

Is it 7.50 or is it 7.74.0 ?

> CVE-2023-23914 and CVE-2022-43551 is reported on curl 7.50

I took a look at what we claim about these two issues:

Both very clearly state that the first affected version was 7.77.0. The last
affected version is 7.87.0 in the first case and 7.86.0 in the second.

So, neither 7.50 nor 7.74.0 are affected by these flaws.

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
Received on 2023-06-12