Get ready to secure your online operations because an important new release of the popular software tool, Curl, is on the horizon. Curl 8.4.0 is set to roll out on October 11, aimed at fixing a pair of serious security vulnerabilities. Daniel Stenberg, the lead developer, has described one of these issues as “possibly the most critical security flaw seen in Curl in a long time.”
What Security Vulnerabilities has been found in Curl ?
A critical heap-based buffer overflow vulnerability has been identified within the SOCKS5 proxy handshake component of the Curl package. When Curl is incapable of resolving an address by itself, it forwards the hostname to the SOCKS5 proxy. However, there’s a limitation in place, allowing a maximum hostname length of 255 bytes. If the hostname surpasses this limit, Curl switches to local name resolution and transmits the resolved address to the proxy.
The issue arises when a local variable responsible for instructing Curl to “let the host resolve the name” obtains an incorrect value during a protracted SOCKS5 handshake. This leads to the extended hostname being copied to the target buffer, rather than the intended behavior of passing the resolved address.
This release is scheduled for approximately 0600 UTC (0800 CEST, 0700 BST, 0200 EST, 2300 PDT) on October 11, focusing on resolving two vulnerabilities, CVE-2023-38545 (affecting both libcurl and the Curl tool) and CVE-2023-38546 (exclusive to libcurl).
Notably, this update won’t introduce any changes to the API or ABI, ensuring a smooth transition for users.
CVE-2023-38545 has been classified as a high-severity issue. While specific vulnerability details aren’t disclosed, it’s crucial to note that the development timeline was expedited to ensure swift resolution.
Curl is a fundamental tool supporting a significant part of internet infrastructure. It functions as a command-line file transfer utility, used in scripts for data transfer. Additionally, it’s integrated into various connected devices, from printers to vehicles. The Curl team proudly states that it powers “the internet transfer engine for thousands of software applications, with over twenty billion installations.” In essence, Curl is used daily by virtually every internet user globally. Also Read: How do Scientists Determine When an Era Begins and When it Ends
Curl made its debut in 1998, with predecessors dating back to 1996. The name “cURL” was chosen due to its connection to URLs, and the acronym “Curl URL Request Library” was coined later.
While an urgent security fix might not be the ideal 25th-anniversary gift for the Curl team, it’s an essential step in maintaining the security of this indispensable tool.
In summary, while the upcoming Curl release addresses a high-severity security flaw, users are advised not to panic but to swiftly install the patched packages. Furthermore, it’s crucial to remember that containers can also host operating systems, so their security should not be overlooked.
Also Read: Why Are Light Bulbs Shaped the Way They Are?