Since curl is used by a wide variety of operating systems, applications and IoT devices, the pre-announcement makes sense, as it allows organizations to audit their own systems, find all instances of curl and libcurl in use, and make a plan for enterprise-wide patching.
The curl project has also simultaneously shared the info about the flaws with developers of a variety of Linux, Unix and Unix-like distributions, so they can prepare patches/updated packages in advance of the curl v8.4.0 release.
CVE-2023-38545, reported by Jay Satiro, affects the curl command-line tool and the libcurl library.
“When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes. If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy,” the associated advisory explains.
CVE-2023-38545 affects curl and libcurl from version 7.69.0 to v8.3.0.
The curl project advises users to update curl/libcurl to version 8.4.0 or to patch older versions, and has shared additional/alternative mitigations in the advisories.
