After a week of rampant speculation about the nature of the security issues in curl, the latest version of the command line transfer tool was finally released today.
Described by curl project founder and lead developer Daniel Stenberg as “probably the worst curl security flaw in a long time,” the patches address two separate vulnerabilities: CVE-2023-38545 and CVE-2023-38546.
We now know the first vulnerability, CVE-2023-38545, is a heap-based buffer overflow flaw that affects both libcurl and the curl tool, carrying a severity rating of “high.” Possible outcomes of such issues include the corruption of data and, in the worst cases, the execution of arbitrary code.
