Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: CVE-2024-7264
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 29 Jan 2025 08:15:22 +0100 (CET)
On Wed, 29 Jan 2025, Zac Todd via curl-library wrote:
> I've recently had CVE-2024-7264 popping up in CrowdStrike as an open
> vulnerability, for a little context I have had very little to do with
> this curl stuff.
You don't mention what OS you're on, nor where (inside which product)
CrowdStrike identified this vulnerability.
Your mention of 'dll' and the reddit link however makes me draw two
conclusions: this is on Windows, this "warning" is not about the bundled
curl.exe ?
If the specific dll it warns about was not shipped by the curl project, you
are better off asking the team that built and shipped it. If you have the same
version that was mentioned in the reddit post of yours, it is part of a
Microsoft application install and then you need to contact Microsoft support.
The reddit page might imply that the libcurl actually comes from a "Salesforce
ODBC Driver" for office? If so, then the manufaturer of that thing is
responsible.
> Is simply having the affected version of the libcurl.dll file enough to make
> a computer vulnerable or does it also require the specific backend before it
> is a problem?
First: your computer is probably not vulnerable at all. This is a warning from
software that profits from warning about things it knows very little about.
And if it is right, which occationally happens, the one entity that can fix
this is the package that ships the vulnerable libcurl: they can just build a
fixed version and ship that instead.
We announced the fix at the same time we announced that CVE, and all the
details are at https://curl.se/docs/CVE-2024-7264.html So there has been a fix
available for about six months.
What is kind of ironic here, is that Windows itself ships curl.exe 8.9.1,
which does not contain this problem.
> If it does require a specific backend, how can I determine if that backend
> is being used in order to remediate the threats?
Ask your support person for the software deemed vulnerable. If you want to
investigate it yourself you can of course dissect the dll and probably figure
out. I think there's a fair chance they use Schannel on Windows.
The curl project ships releases as tarballs. We release source code archives.
Most most applications (that are not Linux) build their own curl/libcurl and
bundle that with their software. Like in this case. This means that no one
else than the orignal distributor can update and provide libcurl in the same
way. They can and should get an updated version from us, then ship an update
of their software.
I offer commercial support to companies to help them with things like this.
Date: Wed, 29 Jan 2025 08:15:22 +0100 (CET)
On Wed, 29 Jan 2025, Zac Todd via curl-library wrote:
> I've recently had CVE-2024-7264 popping up in CrowdStrike as an open
> vulnerability, for a little context I have had very little to do with
> this curl stuff.
You don't mention what OS you're on, nor where (inside which product)
CrowdStrike identified this vulnerability.
Your mention of 'dll' and the reddit link however makes me draw two
conclusions: this is on Windows, this "warning" is not about the bundled
curl.exe ?
If the specific dll it warns about was not shipped by the curl project, you
are better off asking the team that built and shipped it. If you have the same
version that was mentioned in the reddit post of yours, it is part of a
Microsoft application install and then you need to contact Microsoft support.
The reddit page might imply that the libcurl actually comes from a "Salesforce
ODBC Driver" for office? If so, then the manufaturer of that thing is
responsible.
> Is simply having the affected version of the libcurl.dll file enough to make
> a computer vulnerable or does it also require the specific backend before it
> is a problem?
First: your computer is probably not vulnerable at all. This is a warning from
software that profits from warning about things it knows very little about.
And if it is right, which occationally happens, the one entity that can fix
this is the package that ships the vulnerable libcurl: they can just build a
fixed version and ship that instead.
We announced the fix at the same time we announced that CVE, and all the
details are at https://curl.se/docs/CVE-2024-7264.html So there has been a fix
available for about six months.
What is kind of ironic here, is that Windows itself ships curl.exe 8.9.1,
which does not contain this problem.
> If it does require a specific backend, how can I determine if that backend
> is being used in order to remediate the threats?
Ask your support person for the software deemed vulnerable. If you want to
investigate it yourself you can of course dissect the dll and probably figure
out. I think there's a fair chance they use Schannel on Windows.
The curl project ships releases as tarballs. We release source code archives.
Most most applications (that are not Linux) build their own curl/libcurl and
bundle that with their software. Like in this case. This means that no one
else than the orignal distributor can update and provide libcurl in the same
way. They can and should get an updated version from us, then ship an update
of their software.
I offer commercial support to companies to help them with things like this.
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-01-29