Patches have been released for two security vulnerabilities affecting the curl data transfer library, one of which could potentially result in code execution.
Earlier this week, the maintainers of curl announced that two vulnerabilities would be announced later during the week. Curl is a popular open-source data transfer tool that is used widely by developers and system administrators. It also serves as foundational support for many network protocols like SSL, TLS, HTTP and FTP. The two vulnerabilities compromises of a high-risk severity heap-based buffer overflow vulnerability and a less severe cookie injection flaw. The project founder and lead developer has described the high-risk vulnerability as probably the worst curl security flaw in a long time and it could potentially result in code execution. The security flaws have been patched in libcurl version 8.4.0. In the past we have seen Proof of concept exploits become available not long after vulnerabilities are announced. Which are shortly followed by mass-exploit attempts. So make sure you keep your systems safe by patching immediately.
https://thehackernews.com/2023/10/two-high-risk-security-flaws-discovered.html
https://www.theregister.com/2023/10/11/vulnerabilities_in_curl_receive_patches/
This segment was created for the It’s 5:05 podcast