The CVE page on curl.se is also online as of now: https://curl.se/docs/CVE-2023-38545.html
"[PATCH] socks: return error if hostname too long for remote resolve
Prior to this change the state machine attempted to change the remote resolve to a local resolve if the hostname was longer than 255 characters. Unfortunately that did not work as intended and caused a security issue."
Will people stop messing with unsafe buffers in C already? Even just using C++ with the most basic buffer/dynamic array template would have prevented this issue.
While this is a double screw up, I really like how the patch corrected the original issue but also removed this complex and unlikely path.
The drama and suspense around this has been crazy lol. It's pretty bad but they hyped it up like it was the next log4j.
Wat.
So you can only be attacked if you're using a socks5 proxy, and even then you can only be attacked by your own proxy? Which rules out things like torsocks where you're running the proxy too.
Does this really merit all of last week's antics?
cURL's own tracker had a banner stating severity High to be released October 11.
It's October 11 and was already October 11 for a lot of the world 13 hours ago (as of writing) when this patch was posted. Nothing was early, nothing was leaked.
EDIT: Why the downvotes? People don't like timezones or something?