-1

our vulnerability management team classifies this CVE in curl as crtitical:

https://curl.se/docs/CVE-2023-38545.html

We are using Alma 9.4 and the newest curl Version provided bei Alma is 7.76.

But the smallest Version of curl to mitigate the problem is 8.4.0

What is the best way to update curl on Alma 9?

Actually we built curl 8.8.0 from sources, but not with all features as in the official distro, since then many, many other dependent packages would have been built first.

https://git.almalinux.org/rpms/curl/src/tag/imports/c9/curl-7.76.1-29.el9_4/SPECS/curl.spec

I am mainly wondering why I have not found anybody else on the internet asking for the same.

Bonus Question: Why Alma9.4 (or RHEL9.4), which was just released, provides a 3-years old version of curl!?

Many thanks

Michael

mmoossen
  • 119

1 Answers1

1

Thanks for the hint @vidarlo.

That explains all the patches in the spec-File, which i just quickly removed without reading :(.

And there you find it immediatly.

# return error if hostname too long for remote resolve
Patch33:  0033-curl-7.76.1-CVE-2023-38545.patch

so, no need to update anything.

mmoossen
  • 119