Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
CVE-2020-19909 possibly released without curl's authors ack (yet another NVD Critical)
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Samuel Henrique via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 25 Aug 2023 20:30:17 +0100
I wanted to let you know that there's a recent curl CVE published and
it doesn't look like it was acknowledged by the curl authors since
it's not mentioned in the curl website:
CVE-2020-19909
Note that the "2020" in the CVE ID is likely to be the year the report
was submitted to the CNA (not sure who processed this), but it became
public only this week.
You won't be surprised to know that NVD rated it as a "Critical":
https://nvd.nist.gov/vuln/detail/CVE-2020-19909
The CVE's description says:
> Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via crafted value as the retry delay.
And it points to:
https://github.com/curl/curl/pull/4166
Cheers,
Date: Fri, 25 Aug 2023 20:30:17 +0100
I wanted to let you know that there's a recent curl CVE published and
it doesn't look like it was acknowledged by the curl authors since
it's not mentioned in the curl website:
CVE-2020-19909
Note that the "2020" in the CVE ID is likely to be the year the report
was submitted to the CNA (not sure who processed this), but it became
public only this week.
You won't be surprised to know that NVD rated it as a "Critical":
https://nvd.nist.gov/vuln/detail/CVE-2020-19909
The CVE's description says:
> Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via crafted value as the retry delay.
And it points to:
https://github.com/curl/curl/pull/4166
Cheers,
-- Samuel Henrique <samueloph> -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-08-25