Why hasn’t been curl updated to latest version 8.4.0?

I’m confused. Why hasn’t been curl updated to latest version 8.4.0? The widely used tool has a vulnerability that can be exploited to cause a heap-based buffer overflow issue.
The release of curl 8.4.0, on October 11, addresses a vulnerability listed as CVE-2023-38545, which can be exploited to cause a heap-based buffer overflow in the SOCKS5 proxy handshake.
Manjaro still has 8.3.0

3 Likes

CVE-2023-38545 was reported to curl project September 30, 2023.

The curl github announcement has a comment in response to questions about delaying release

Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11 · curl/curl · Discussion #12026 · GitHub
there is a minuscule risk that someone can find this (again) before we ship the patch, but this issue has stayed undetected for years for a reason. I think taking a few days to make sure we do a solid release is worth this risk.

curl was updated on Arch - 2023-10-12 22:43 UTC - Arch Linux - curl 8.7.1-5 (x86_64)
(12 hours ago at time of this post)

curl 8.4.0-1 is available on Unstable branch - Packages

I expect Manjaro team will probably fastrack this package with a much shorter deadline than curl project

1 Like

is pamac or pacman using curl to dl the packages?

No. Though, it may be possible, I imagine. However, many foreign software installation procedures in the wild actively promote using curl to download packages, or source prior to building.

Interestingly, I linked to that in a thread that was actively promoting the use of curl as part of a solution strategy – it was rudely flagged as off-topic by … a member … and promptly disregarded.

Security must not be foremost on everybody’s mind, it seems.

1 Like

pamac and pacman use libalpm

1 Like

That is not quite correct, the above is the second update for 8.4.0, package release 2: Commits · 0873f8de776e4a41710834ff08332593363e0640 · Arch Linux / Packaging / Packages / curl · GitLab

1 Like

A post was merged into an existing topic: [Stable Update] 2023-10-13 - Pipewire, Mattermost, Qt5, Haskell, Python

curl 8.4.0-0 has now been released to Testing and Stable branches

4 Likes

I just installed it, tumps up! That everyone see this topic right now.

Thanks to the devs for the quick update :100:

What’s a tump? :man_shrugging:

An opposing, two-digit component on your ant.

:ant:

Oh, OK, I thought at first that it was something more political.
… Donald Tump … Now I understand the confusion. :crazy_face:

1 Like

Let’s… not go there. :joy:

It was more a call for refresh, to get this topic in view to others on the first page (just a upvote).

Maybe im misspelled it… im not native english speaker.

2 posts were split to a new topic: After update to curl 8.4.0 there is an issue with 100% single core usage

I think we all realised that; and just made a light-hearted joke. :wink:

We just need to wait till curl 8.4.0-0 reaches Stable; and then everything should be… tumps up. :+1: – unless there’s another issue.

Its in stable branch (since 2 days), thats why i downloaded it.

Clearly, I missed that. Thanks.