Posted on twitter by Curl author Daniel Stenberg - https://nitter.cz/bagder/status/1709103920914526525
We are cutting the release cycle short and will release curl 8.4.0 on October 11, including a fix for a severity HIGH CVE. Buckle up.
… But this time actually the worst security problem found in curl in a long time
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545
I want to thank the
curl
developers for taking security issues seriously to keep me safe.Now I’m going to go pipe another
curl
script output directly into asudo bash
command. /sWe need a version of
/s
for “I’m not actually doing this right now… but we know I still will…”Who also guesses buffer overflow or use-after-free?
Buffer overflows are like Lupus in House M.D.
It’s not overflow. It’s never overflow.