Oct 12, 2023 at 12:42 PM

cURL version 8.4.0 released with two high-risk security patches and IPFS URL support

cURL, the URL syntax-based data transfer command-line tool, has released its version 8.4.0, featuring two high-risk security patches. The patches, addressing vulnerabilities CVE-2023-38545 and CVE-2023-38546, were characterized by cURL project founder and lead developer Daniel Stenberg as “probably the worst curl security flaw in a long time”.

CVE-2023-38545 pertains to a flaw causing cURL to overflow a heap-based buffer in the SOCKS5 proxy handshake, while CVE-2023-38546 allows an attacker to insert cookies into a running program using libcurl under a specific set of conditions. The latter requires the cookies to be placed in a file named “none” in the application’s current directory.

In addition to the security patches, version 8.4.0 also supports InterPlanetary File System (IPFS) URLs via gateway, and includes various other enhancements and bug fixes.

Oct 12, 2023 by Paul

MORE ABOUT: #HTTP Clients #API Clients #FTP Clients #cURL

cURL

182

HTTP Client
Free • Open Source

cURL is a computer software project that offers a command-line tool and library for data transfer using multiple protocols in URL syntax. As an HTTP client, it supports FTP, FTPS, SCP, SFTP, HTTP, HTTPS, TFTP, TELNET, DICT, LDAP, LDAPS, and FILE. Notable features include a command line interface, portability, and data transfer capabilities. Rated 4.8, cURL's top alternatives are Wget, aria2, and HTTPie for Terminal.

All news about cURL »

External links

curl 8.4.0
Daniel Stenberg • Official source
Curl: [RELEASE] curl 8.4.0
Curl • Official source
Curl 8.4 Released For Addressing A Big Security Vulnerability
Phoronix
Vulnerabilities in curl patched after week-long tease
The Register
Two High-Risk Security Flaws Discovered in Curl Library - New Patches Released
The Hacker News

No comments so far, maybe you want to be first?