cross-posted from: https://biglemmowski.win/post/224873
Posted on twitter by Curl author Daniel Stenberg - https://nitter.cz/bagder/status/1709103920914526525
We are cutting the release cycle short and will release curl 8.4.0 on October 11, including a fix for a severity HIGH CVE. Buckle up.
… But this time actually the worst security problem found in curl in a long time
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545
There sure has been a lot of CVE’s in the last couple of weeks!
For real. One with .webp, one with privilege escalation, and now this.
Canonical has been aggressively expanding their security team, and Levels.fyi showed last quarter that security researchers were some of the highest paid forms of software development.
Doesn’t guarantee anything long-term, but there’s a few suggestions that security has gotten a larger focus lately.
Good. There’s so much chain of trust in the OSS community that it’s hard to keep up with the tens of thousands of libraries that literally hold up the Internet.
It’s a shame we discover these critical bugs so late in the process, but at least we discover them at all…