curl 7.74.0 is released with experimental HSTS support. The 196th curl release has 107 bug-fixes, including three fixed vulnerabilities. 46 contributors (22 mew) made this in 56 days, out of which 22 were authors (8 new).

· · Web · 1 · 5 · 4

At 9:00 UTC today, Dec 9, you can see the live-streamed curl 7.74.0 release presentation with me going through the highlights and digging into some details on what's new and special with this release.

CVE-2020-8284: A malicious server can use a `PASV` response to trick curl into connecting to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed.

CVE-2020-8285: A malicious server can DOS a libcurl-using application that uses FTP wildcard matching and that skips certain entries, by providing as skipped entries until libcurl overflows the stack due to recursive calls.

CVE-2020-8286: This flaw would allow an attacker, who perhaps could have breached a TLS server, to provide a fraudulent OCSP stapling response that would appear fine to curl. Possibly avoiding for example a revoked cert to be detected.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!