Hello everybody,
the differences between the monikers "curl", "cURL", and "libcurl" are well understood and documented [1]. However, the security advisories seem to not strictly follow this distinction. A few examples: Advisory for CVE-2020-8231 [2]: The description clarifies that this vulnerability affects libcurl and not curl. The "Affected Versions" section is consistent with that information and the distinction. However, the "Recommendations" section suggests to update curl (not libcurl, nor cURL). Advisory for CVE-2020-8169 [3]: The description only ever mentions libcurl, same for the "Affected Versions" section. However the "Info" section clearly mentions that this affects both curl and libcurl. Additionally, the "Recommendations" section suggests to update curl, without mentioning libcurl, even though the latter is affected as well. Other advisories [4, 5] only mention curl, without clarifying if libcurl is affected as well (which is however likely). Is there a specific reason for these divergence between different advisories? Kind regards, Daniel [1] https://daniel.haxx.se/docs/curl-vs-libcurl.html [2] https://curl.haxx.se/docs/CVE-2020-8231.html [3] https://curl.haxx.se/docs/CVE-2020-8169.html [4] https://curl.haxx.se/docs/CVE-2018-1000300.html [5] https://curl.haxx.se/docs/CVE-2018-0500.html
------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
