Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libcurl vulnerabilities in v8.4.9 #36

Closed
K2Manning opened this issue Feb 16, 2023 · 7 comments
Closed

libcurl vulnerabilities in v8.4.9 #36

K2Manning opened this issue Feb 16, 2023 · 7 comments
Assignees
@donho

Comments

@K2Manning
Copy link

mkruntest identified libcurl version 7.79.1-DEV in the latest version of NP++ (v8.4.9)

per curls website (https://curl.se/) v7,88.0 is the latest available and should mitigate the vulnerabilities identified here (https://curl.se/docs/vuln-7.79.1.html)

Is it possible for development to upgrade and test libcurl to the latest verion within NP++ to mitigate all open vulnerabilities?

Thank you
Please have a great day
@donho donho self-assigned this Feb 25, 2023
@pryrt
Copy link

pryrt commented Aug 2, 2023
edited
Loading

@donho, there's another user who just reported this in the Community, and included that it's specifically CVE-2023-32001 that is at issue.

So my reply here is a "ping" to remind you that it's still open. :-)

addendum: also, if this issue is fixed/closed, then the original notepad-plus-plus/notepad-plus-plus#13139 should also be closed

@pryrt pryrt mentioned this issue Aug 2, 2023
Closed
@chcg chcg mentioned this issue Aug 12, 2023
Closed
@donho
Copy link
Member

donho commented Aug 13, 2023

111f0de

@donho donho closed this as completed Aug 13, 2023
@pryrt
Copy link

pryrt commented Nov 15, 2023

@donho,

When I was looking into https://community.notepad-plus-plus.org/topic/25136/libcurl-cve-2023-38545-in-updater , I was surprised to see that the user still got libcurl 7.79.1, since this closed issue said that libcurl was updated to v8.2.1 months ago.

However, I just checked the Notepad++ v8.5.8 installer, and the updater\libcurl.dll that is in the most recent installer still says that it's 7.79.1.

image

Did this wingup commit not get propagated to the Notepad++ installer? Or something else?

@donho donho reopened this Nov 15, 2023
@donho
Copy link
Member

donho commented Nov 16, 2023

@pryrt
You're right about it.
After checking the release process, I cannot find the the reason of this bad deployment.
Anyway, I will check it more carefully in the future.
Thank you for your heads up.

@donho
Copy link
Member

donho commented Nov 16, 2023

2dfffa9

@donho donho closed this as completed Nov 16, 2023
@pryrt
Copy link

pryrt commented Nov 18, 2023
edited
Loading

And for the record, I have independently confirmed that the v8.6 RC does indeed correctly ship with libcurl 8.4, which thus fixes both this and #50. :-)

Again, thank you for the fix.

@donho
Copy link
Member

donho commented Nov 18, 2023

Thank you @pryrt for letting me know this issue!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@donho donho

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

update to curl 8.2.1 from https://curl.se/download/curl-8.2.1.zip chcg/wingup
3 participants
@donho @pryrt @K2Manning