There is a curl "severity HIGH security problem" pre-announcement on GitHub

["Đoàn Trần Công Danh" <congdanhqx@gmail.com>]

----- Forwarded message from Erik Auerswald <auerswal@unix-ag.uni-kl.de> -----

From: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
Subject: [oss-security] There is a curl "severity HIGH security problem" pre-announcement on GitHub
Date: Thu, 5 Oct 2023 10:14:49 +0200
To: oss-security@lists.openwall.com
Authentication-Results: mx.google.com;       spf=pass (google.com: domain of oss-security-return-29213-congdanhqx=gmail.com@lists.openwall.com designates 193.110.157.125 as
	permitted sender) smtp.mailfrom="oss-security-return-29213-congdanhqx=gmail.com@lists.openwall.com"
List-ID: <oss-security.lists.openwall.com>
Message-ID: <20231005081449.GA20205@unix-ag.uni-kl.de>
Content-Type: text/plain; charset=us-ascii

Hi,

there is a pre-announcement of a curl security problem with high severity
that can be found on GitHub:

 - https://github.com/curl/curl/discussions
 - https://github.com/curl/curl/discussions/12026

(I have seen a link to it from some web site, and did not see it on this
list yet.)

There is little information available, the GitHub discussions post says:

   "We are cutting the release cycle short and will release curl 8.4.0 on
    October 11, including fixes for a severity HIGH CVE and one severity
    LOW. The one rated HIGH is probably the worst curl security flaw in
    a long time.

    The new version and details about the two CVEs will be published
    around 06:00 UTC on the release day.

    * CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool)
    * CVE-2023-38546: severity LOW (affects libcurl only, not the tool)

    Now you know. Plan accordingly."

Best regards,
Erik

----- End forwarded message -----

-- 
Danh