A pair of highly anticipated vulnerabilities revealed on Wednesday in a ubiquitous piece of open source software appear to be far less threatening than many researchers feared.
The two vulnerabilities impact the curl and libcurl programs, which are believed to have been installed some 50 billion times and are used to transfer files using network protocols. The two programs represent basic building blocks of the internet, and a sufficiently severe bug impacting them might impact nearly anything connecting to a web server.
The release of two bugs had been highly anticipated in the security community, with the program’s lead developer, Daniel Stenberg, describing the bug as “the worst curl security flaw in a long time.”
But security researchers expecting the next Log4Shell — an easily exploitable vulnerability with a huge install base — were disappointed that the bug is only exploitable in rare circumstances.
Advertisement
A maintainer for Redhat’s CentOS who released a fix around 14 hours earlier than anticipated revealed the vulnerability to be a buffer overflow issue that can only be taken advantage of under highly specific circumstances. Researchers awaiting the patch either breathed a sigh of relief or expressed annoyance that the bug was not as serious as initially thought.
The more severe of the two vulnerabilities revealed Wednesday revolves around using curl to connect through SOCKS5 — a proxy frequent ..
Support the originator by clicking the read the rest link below.
