Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Vulnerabilities affect version fixes about CVE-2022-43551
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 13 Dec 2024 13:57:50 +0100 (CET)
On Fri, 13 Dec 2024, 陈星杵 via curl-library wrote:
> I found that the affected version of CVE-2022-43551 on the
> "https://curl.se/docs/CVE-2022-43551.html" is missing. First of all, thank
> you very much for the very clear explanation on the website about the root
> causes of vulnerabilities and patc. But based on my review and analysis of
> the code repository, I have found that this vulnerability still exists in
> 'curl-7_74_0'
Thanks for looking out for mistakes.
The reason we don't say 7.74.0 for this CVE is that while the vulnerable code
was actually present then, the HSTS feature was not enabled by default and was
labled as experimental. It means that only users who would go against our
explicit recommendation and use in production something what we say is
experimental would be vulnerable in that version.
In 7.77.0 we removed the experimental label, so the code that was already in
place then became actually vulnerable.
I believe this is the pragmatic way of dealing with the affected version range
when it comes to experimental features that are supposed to be switched off in
production.
Date: Fri, 13 Dec 2024 13:57:50 +0100 (CET)
On Fri, 13 Dec 2024, 陈星杵 via curl-library wrote:
> I found that the affected version of CVE-2022-43551 on the
> "https://curl.se/docs/CVE-2022-43551.html" is missing. First of all, thank
> you very much for the very clear explanation on the website about the root
> causes of vulnerabilities and patc. But based on my review and analysis of
> the code repository, I have found that this vulnerability still exists in
> 'curl-7_74_0'
Thanks for looking out for mistakes.
The reason we don't say 7.74.0 for this CVE is that while the vulnerable code
was actually present then, the HSTS feature was not enabled by default and was
labled as experimental. It means that only users who would go against our
explicit recommendation and use in production something what we say is
experimental would be vulnerable in that version.
In 7.77.0 we removed the experimental label, so the code that was already in
place then became actually vulnerable.
I believe this is the pragmatic way of dealing with the affected version range
when it comes to experimental features that are supposed to be switched off in
production.
-- / daniel.haxx.se || https://rock-solid.curl.dev
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-12-13