Vumetric is now part of the TELUS family! Learn more →

Curl project squashes high-severity bug in omnipresent libcurl library (CVE-2023-38545)

Since curl is used by a wide variety of operating systems, applications and IoT devices, the pre-announcement makes sense, as it allows organizations to audit their own systems, find all instances of curl and libcurl in use, and make a plan for enterprise-wide patching.

The curl project has also simultaneously shared the info about the flaws with developers of a variety of Linux, Unix and Unix-like distributions, so they can prepare patches/updated packages in advance of the curl v8.4.0 release.

CVE-2023-38545, reported by Jay Satiro, affects the curl command-line tool and the libcurl library.

“When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes. If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy,” the associated advisory explains.

CVE-2023-38545 affects curl and libcurl from version 7.69.0 to v8.3.0.

The curl project advises users to update curl/libcurl to version 8.4.0 or to patch older versions, and has shared additional/alternative mitigations in the advisories.

Share this article on social media:

Subscribe to Our Newsletter!
Stay on top of cybersecurity risks, evolving threats and industry news.
This field is for validation purposes and should be left unchanged.

Recent News

Featured Services

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:

BOOK A MEETING

Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g: gmail.com, hotmail.com, etc.)

2024 EDITION

Penetration Testing Buyer's Guide

Everything You Need to Know

Gain full confidence in your future cybersecurity assessments by learning to plan, scope and execute projects.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.