On Mon, 12 Jun 2023, Syedhafeez, Nikhath via curl-library wrote:
CVE-2023-23914 and CVE-2022-43551 is reported on curl 7.50 (
7.74.0-1.3+deb11u7) , any plans to remediate this issue??
We, as the curl project, fix all security issues at the day they are made
public. We fix them by releasing new fixed versions and we provide patches for
them. We do not patch older versions as we do not particularly support
anything but the latest version. I would urge you to buy curl support to get
that.
If you use a Linux distribution, you get your updates from the distribution
and you should rather send them this quetion.
However, I think your statement has some additional confusing components:
curl 7.50 (7.74.0-1.3+deb11u7)
Is it 7.50 or is it 7.74.0 ?
CVE-2023-23914 and CVE-2022-43551 is reported on curl 7.50
I took a look at what we claim about these two issues:
https://curl.se/docs/CVE-2023-23914.html
https://curl.se/docs/CVE-2022-43551.html
Both very clearly state that the first affected version was 7.77.0. The last
affected version is 7.87.0 in the first case and 7.86.0 in the second.
So, neither 7.50 nor 7.74.0 are affected by these flaws.
--
/ daniel.haxx.se
| Commercial curl support up to 24x7 is available!
| Private help, bug fixes, support, ports, new features
| https://curl.se/support.html
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
