Why hasn’t been curl updated to latest version 8.4.0?

gigitek · 13 October 2023 06:09

I’m confused. Why hasn’t been curl updated to latest version 8.4.0? The widely used tool has a vulnerability that can be exploited to cause a heap-based buffer overflow issue.
The release of curl 8.4.0, on October 11, addresses a vulnerability listed as CVE-2023-38545, which can be exploited to cause a heap-based buffer overflow in the SOCKS5 proxy handshake.
Manjaro still has 8.3.0

nikgnomic · 13 October 2023 09:46

CVE-2023-38545 was reported to curl project September 30, 2023.

The curl github announcement has a comment in response to questions about delaying release

Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11 · curl/curl · Discussion #12026 · GitHub
there is a minuscule risk that someone can find this (again) before we ship the patch, but this issue has stayed undetected for years for a reason. I think taking a few days to make sure we do a solid release is worth this risk.

curl was updated on Arch - 2023-10-12 22:43 UTC - Arch Linux - curl 8.7.1-5 (x86_64)
(12 hours ago at time of this post)

curl 8.4.0-1 is available on Unstable branch - Packages

I expect Manjaro team will probably fastrack this package with a much shorter deadline than curl project

1efaf7d71a8637c6800a · 13 October 2023 10:01

is pamac or pacman using curl to dl the packages?

soundofthunder · 13 October 2023 10:08

No. Though, it may be possible, I imagine. However, many foreign software installation procedures in the wild actively promote using curl to download packages, or source prior to building.

Interestingly, I linked to that in a thread that was actively promoting the use of curl as part of a solution strategy – it was rudely flagged as off-topic by … a member … and promptly disregarded.

Security must not be foremost on everybody’s mind, it seems.

nikgnomic · 13 October 2023 10:09

pamac and pacman use libalpm

gigitek · 13 October 2023 10:38

That is not quite correct, the above is the second update for 8.4.0, package release 2: Commits · 0873f8de776e4a41710834ff08332593363e0640 · Arch Linux / Packaging / Packages / curl · GitLab

Yochanan · 13 October 2023 14:19

A post was merged into an existing topic: [Stable Update] 2023-10-13 - Pipewire, Mattermost, Qt5, Haskell, Python

nikgnomic · 14 October 2023 10:24

curl 8.4.0-0 has now been released to Testing and Stable branches

Kobold · 15 October 2023 09:04

I just installed it, tumps up! That everyone see this topic right now.

Thanks to the devs for the quick update

soundofthunder · 15 October 2023 10:03

What’s a tump?

Aragorn · 16 October 2023 08:07

An opposing, two-digit component on your ant.

soundofthunder · 16 October 2023 08:43

Oh, OK, I thought at first that it was something more political.
… Donald Tump … Now I understand the confusion.

Aragorn · 16 October 2023 08:44

Let’s… not go there.

Kobold · 16 October 2023 11:55

It was more a call for refresh, to get this topic in view to others on the first page (just a upvote).

Maybe im misspelled it… im not native english speaker.

nikgnomic · 16 October 2023 16:12

2 posts were split to a new topic: After update to curl 8.4.0 there is an issue with 100% single core usage

soundofthunder · 16 October 2023 12:07

I think we all realised that; and just made a light-hearted joke.

We just need to wait till curl 8.4.0-0 reaches Stable; and then everything should be… tumps up. – unless there’s another issue.

Kobold · 16 October 2023 14:41

Its in stable branch (since 2 days), thats why i downloaded it.

soundofthunder · 16 October 2023 14:51

Clearly, I missed that. Thanks.