libcurl vulnerabilities in v8.4.9
K2Manning opened this issue · comments
mkruntest identified libcurl version 7.79.1-DEV in the latest version of NP++ (v8.4.9)
per curls website (https://curl.se/) v7,88.0 is the latest available and should mitigate the vulnerabilities identified here (https://curl.se/docs/vuln-7.79.1.html)
Is it possible for development to upgrade and test libcurl to the latest verion within NP++ to mitigate all open vulnerabilities?
Thank you
Please have a great day
@donho, there's another user who just reported this in the Community, and included that it's specifically CVE-2023-32001 that is at issue.
So my reply here is a "ping" to remind you that it's still open. :-)
addendum: also, if this issue is fixed/closed, then the original notepad-plus-plus/notepad-plus-plus#13139 should also be closed
When I was looking into https://community.notepad-plus-plus.org/topic/25136/libcurl-cve-2023-38545-in-updater , I was surprised to see that the user still got libcurl 7.79.1, since this closed issue said that libcurl was updated to v8.2.1 months ago.
However, I just checked the Notepad++ v8.5.8 installer, and the updater\libcurl.dll
that is in the most recent installer still says that it's 7.79.1.
Did this wingup commit not get propagated to the Notepad++ installer? Or something else?
@pryrt
You're right about it.
After checking the release process, I cannot find the the reason of this bad deployment.
Anyway, I will check it more carefully in the future.
Thank you for your heads up.