Submitted 1 year ago by taaz@biglemmowski.win to programming@programming.dev
https://github.com/curl/curl/discussions/12026
Posted on twitter by Curl author - nitter.cz/bagder/status/1709103920914526525
We are cutting the release cycle short and will release curl 8.4.0 on October 11, including a fix for a severity HIGH CVE. Buckle up.
… But this time actually the worst security problem found in curl in a long time
I want to thank the curl developers for taking security issues seriously to keep me safe.
Now I’m going to go pipe another curl script output directly into a sudo bash command. /s
We need a version of /s for “I’m not actually don’t this right now… but we know I still will…”
Black616Angel@feddit.de 1 year ago
Who also guesses buffer overflow or use-after-free?
ultratiem@lemmy.ca 1 year ago
Buffer overflows are like Lupus in House M.D.
__init__@programming.dev 1 year ago
It’s not overflow. It’s never overflow.
aoidenpa@lemmy.world 1 year ago
Why don’t they just rewrite it in rust? It would be much safer right?
unquietwiki@programming.dev 1 year ago
I think that’s been asked before. That’d be a massive undertaking, and they also support architectures that I don’t think Rust does (yet).
fil@programming.dev 1 year ago
You can already use hyper (written in rust) for http stuff in curl aws.amazon.com/…/how-using-hyper-in-curl-can-help… I wonder if the vulnerability touches this use case as well