We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl security flaw in a long time. The new version and details about the two CVEs will be published around 06:00 UTC on the release day. CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool) CVE-2023-38546: severity LOW (affects libcurl only, not the tool) Now you know. Plan accordingly.
Out now: https://curl.se/changes.html#8_4_0 Advisories: https://curl.se/docs/CVE-2023-38545.html https://curl.se/docs/CVE-2023-38546.html
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd88db729392219f7360e750624963b19f863798 commit dd88db729392219f7360e750624963b19f863798 Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-10-11 06:32:58 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-11 06:37:54 +0000 net-misc/curl: add 8.4.0 Bug: https://bugs.gentoo.org/915195 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Closes: https://github.com/gentoo/gentoo/pull/33293 Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/Manifest | 2 + net-misc/curl/curl-8.4.0.ebuild | 363 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 365 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7f8dbaf27e1846b31eeb6d4b02fd9979ace03d8a commit 7f8dbaf27e1846b31eeb6d4b02fd9979ace03d8a Author: Sam James <sam@gentoo.org> AuthorDate: 2023-10-11 07:01:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-11 07:01:55 +0000 net-misc/curl: backport CVE-2023-38545, CVE-2023-38546 fixes to 8.3.0 Had a request to backport these - so why not? curl is a large program so people might be hesitant to upgrade it quickly everywhere, so let's make life a bit easier for them. Bug: https://bugs.gentoo.org/915195 Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/curl-8.3.0-r2.ebuild | 363 +++++++++++++++++++++ .../curl/files/curl-8.3.0-CVE-2023-38545.patch | 136 ++++++++ .../curl/files/curl-8.3.0-CVE-2023-38546.patch | 131 ++++++++ 3 files changed, 630 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=3dfe02046c2bc76fb7e910a04702603b72fcb98c commit 3dfe02046c2bc76fb7e910a04702603b72fcb98c Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-11 08:40:59 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-10-11 08:41:24 +0000 [ GLSA 202310-12 ] curl: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/887745 Bug: https://bugs.gentoo.org/894676 Bug: https://bugs.gentoo.org/902801 Bug: https://bugs.gentoo.org/906590 Bug: https://bugs.gentoo.org/910564 Bug: https://bugs.gentoo.org/914091 Bug: https://bugs.gentoo.org/915195 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202310-12.xml | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c22372a61dd61966e9d8438d2cd64ba847a9be20 commit c22372a61dd61966e9d8438d2cd64ba847a9be20 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-11-25 05:09:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-11-25 05:09:26 +0000 net-misc/curl: drop 8.2.1, 8.3.0, 8.3.0-r1 Bug: https://bugs.gentoo.org/914091 Bug: https://bugs.gentoo.org/915195 Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/Manifest | 2 - net-misc/curl/curl-8.2.1.ebuild | 361 ------------------------------------- net-misc/curl/curl-8.3.0-r1.ebuild | 361 ------------------------------------- net-misc/curl/curl-8.3.0.ebuild | 360 ------------------------------------ net-misc/curl/metadata.xml | 1 - 5 files changed, 1085 deletions(-)
All done!