On Fri, 13 Sep 2024, Jody Sherwin via curl-users wrote:
Hello, During our monthly Nessus Security Vulnerability Scan we have received a few separate results on needing to upgrade the version of the [curl.exe] and the [libcurl.dll] files on a few Windows machines, which I had a few questions on this... I was wondering how do I go about these upgrades as it seems the files are installed in a few separate locations? ... If so, do I perhaps reach out to you guys on this, or is this something that the manufactures like HPE, Microsoft, SAP BusinessObjects, and the Shibboleth Support folks would assist on instead?? ...
Fandrich has good advice, if indeed the vendors noted are willing to help. If you are a small customer, they may not share your concerns and will refuse to help. In that case I would look at how curl is being used. If you only use it to contact sites known to be trustworthy, it would be reasonable to leave things be. If you have constraints that require a clean scan, try replacing the existing binaries with updated ones from the curl website. Save the existing ones and do some testing. It is likely to be fine.
You may find this of interest: https://www.invicti.com/blog/web-security/why-curl-buffer-overflow-vulnerability-is-not-next-log4shell/ Daniel Feenberg NBER -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
