Updates for curl? (CVE-2023-38545 & CVE-2023-38546)
-
dmjb
Topic author - Valued Contributor
- Posts: 53
- Joined: Mon Aug 17, 2020 4:38 pm
- Reputation: 0
- Status: Offline
Updates for curl? (CVE-2023-38545 & CVE-2023-38546)
I was wondering if VSI plans to issue a update to the curl package to address the security vulnerabilities in curl (CVE-2023-38545 & CVE-2023-38546) which were announced this week?
-
mberryman
- Active Contributor
- Posts: 27
- Joined: Sat Sep 02, 2023 1:31 pm
- Reputation: 0
- Location: Colorado Springs, CO, USA
- Status: Offline
Re: Updates for curl? (CVE-2023-38545 & CVE-2023-38546)
I haven't seen a reply to this come through so, for anyone that is interested, you are welcome to my build of Curl 8.4.0 until VSI releases one. It is available at https://theberrymans.com/php_kits/curl-8_4_0.zip (I really need to rename that directory).
A couple of notes:
1. This kit includes LDAP support so the VSI LDAP kit (either 2.5 or 2.6) needs to be installed.
2. If you are not already aware, you can place a file called cert.pem containing certificates for all of the CAs that you trust in SSL3$CERTS: and any program that calls X509_STORE_set_default_paths() will automatically load them. I use the same ones that Mozilla uses, which can be downloaded from http://curl.haxx.se/docs/caextract.html
Example: curl -O https://vmssoftware.com/docs/VSI_X86V921_RN.pdf
$ curl -V
curl 8.4.0 (OpenVMS x86_64) libcurl/8.4.0 OpenSSL/3.0.10 zlib/1.2.12 libidn2/2.3.4 libssh2/1.11.0 nghttp2/1.57.0 OpenLDAP/2.6.6
Release-Date: 2023-10-11
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL threadsafe TLS-SRP UnixSockets
A couple of notes:
1. This kit includes LDAP support so the VSI LDAP kit (either 2.5 or 2.6) needs to be installed.
2. If you are not already aware, you can place a file called cert.pem containing certificates for all of the CAs that you trust in SSL3$CERTS: and any program that calls X509_STORE_set_default_paths() will automatically load them. I use the same ones that Mozilla uses, which can be downloaded from http://curl.haxx.se/docs/caextract.html
Example: curl -O https://vmssoftware.com/docs/VSI_X86V921_RN.pdf
$ curl -V
curl 8.4.0 (OpenVMS x86_64) libcurl/8.4.0 OpenSSL/3.0.10 zlib/1.2.12 libidn2/2.3.4 libssh2/1.11.0 nghttp2/1.57.0 OpenLDAP/2.6.6
Release-Date: 2023-10-11
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL threadsafe TLS-SRP UnixSockets
Last edited by mberryman on Wed Nov 01, 2023 5:18 pm, edited 1 time in total.
-
neilrieck
- Contributor
- Posts: 21
- Joined: Tue Jan 10, 2023 10:41 am
- Reputation: 0
- Location: Waterloo, Ontario, Canada
- Status: Offline
- Contact:
Re: Updates for curl? (CVE-2023-38545 & CVE-2023-38546)
Hello Mark (long time, no type),
I realize this is not the correct area to be asking this question, but have you published a port of mariadb-5.5 for OpenVMS x86-64 ?
(IIRC, you previously told me why going above version 5 on OpenVMS was not possible at this time)
I realize this is not the correct area to be asking this question, but have you published a port of mariadb-5.5 for OpenVMS x86-64 ?
(IIRC, you previously told me why going above version 5 on OpenVMS was not possible at this time)