A twenty-five year old curl bug

by
Thom Holwerda
from OSnews on (#6SWPF)

When we announced the security flawCVE-2024-11053on December 11, 2024 together with the release ofcurl 8.11.1we fixed a security bug that was introduced in a curl release9039days ago. That is close to twenty-five years.

The previous record holder wasCVE-2022-35252at 8729 days.

Daniel Stenberg

Ir's really quite fascinating to see details like this about such a widepsread and widely used tool like curl. The bug in question was a logic error, which made Stenberg detail how any modern language like Rust, instead of C, would not have prevented this issue. Still, about 40% of all security issues in curl stem from not using a memory-safe language, or about 50% of all high/critical severity ones. I understand that jumping on every bandwagon and rewriting everything in a memory-safe language is a lot harder than it sounds, but I also feel like it's getting harder and harder to keep justifying using old languages like C.

I really don't know why people get so incredibly upset at the cold, hard data about this.

Anyway, the issue that sparked this post is fixed in curl 8.11.1.

External Content
Source RSS or Atom Feed
Feed Location http://www.osnews.com/files/recent.xml
Feed Title OSnews
Feed Link https://www.osnews.com/
Reply 0 comments