Skip to main content

#curl 8.6.0 is released. 7 changes, 150+ bugfixes, 1 security advisory.

daniel.haxx.se/blog/2024/01/31…

curl 8.6.0 | daniel.haxx.se

daniel.haxx.se
#curl
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://

Learn about CVE-2024-0853 "OCSP verification bypass with TLS session reuse" here:

curl.se/docs/CVE-2024-0853.htm…

curl - OCSP verification bypass with TLS session reuse - CVE-2024-0853

curl.se
in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://
come watch the release presentation live on twitch, today at 09:00 UTC: twitch.tv/curlhacker (in less than two hours)

curlhacker - Twitch

I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.
Twitch
in reply to daniel:// stenberg://

Jim Fuller
Jim Fuller
and official curl container built, tested and scanned - pushed to quay.io and docker.io ... try it out yourself > podman run quay.io/curl/curl:8.6.0 -V

daniel:// stenberg:// reshared this.

in reply to daniel:// stenberg://

daniel:// stenberg://
daniel:// stenberg://
the original #hackerone report for CVE-2024-0853 is now public: hackerone.com/reports/2298922

curl disclosed on HackerOne: CVE-2024-0853: OCSP verification...

## Summary: In version 8.5.0, cURL has inadvertently established a pathway for accepting revoked certificates. As a result of [this...
HackerOne
#hackerone
in reply to daniel:// stenberg://

Aaron Kulbe
Aaron Kulbe
Are there any distros that keep up with your release cadence and have $CURRENT or do you need to build it yourself if you want that?
in reply to Aaron Kulbe

daniel:// stenberg://
daniel:// stenberg://
@pdxmisfit lots of them do, but you then need to use that flavor. Like Debian unstable for example
@Aaron Kulbe