Tomorrow, October 11, the curl project is expecting to release version 8.4.0 to mitigate the following CVEs:
CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool)
CVE-2023-38546: severity LOW (affects libcurl only, not the tool)
Additional details available:
Curious if anyone has any clever ideas on identifying systems affected by either curl or libcurl. The fun will of course be waiting on patches from products which bundle the library, but knowing which ones to focus on would be helpful.
A fairly basic way to get curl version for Windows and Linux (not sure how to detect the version from mac seeing as it is’t an application).
(if (windows of it) then (unique values of versions of files "curl.exe" of (system x64 folder ; system folder) as string) else (if(unix of it) then (if(name of it as lowercase contains "linux") then (unique values of versions of packages whose (name of it as lowercase contains "curl") of (if exists properties whose(it as string contains "debianpackage:") then debianpackages else if exists properties whose (it as string contains "rpm:") then rpms else ERROR "The operators are not defined.") as string) else ("")) else (if(mac of it) then ("NA") else (nothing)))) of operating system
I’d suspect OS vendors will have patches released to those will give further insights as to affected estate. Libcurl.dll is somewhat more challenging as it seems to exist in several 3rd part apps such as Notepad++, Office, , SQL Server Management Studio, LogiOptions to name a few I’ve seen. Possible apps with built in update feature may use the libcurl.dll.
On a similar note - is HCL planning on a patch to existing releases of Bigfix modules, or should we expect to plan to need to go to the latest version of 10.x and/or 11.x ?
(That i can only assume will be released in the next 3-10 days)
Can’t really talk publicly about response but we are watching this closely. If this requires a patch on our part (and it very well might), I’d expect at least a minor release update on BigFix 11, 10, and 9.5. Our version of libcurl is statically compiled, so it’s unlikely we could replace libcurl by itself, this would be new binaries for client/server/relay.