cross-posted from: https://biglemmowski.win/post/224873
Posted on twitter by Curl author Daniel Stenberg - https://nitter.cz/bagder/status/1709103920914526525
We are cutting the release cycle short and will release curl 8.4.0 on October 11, including a fix for a severity HIGH CVE. Buckle up.
… But this time actually the worst security problem found in curl in a long time
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38545
Could be something curl parses that escapes the intended program boundaries. Basically the same way the latest image vulnerabilities affecting iOS, Android and browsers has been happening