CURL 7.86.0

ps4all

Verified User
Joined
Oct 21, 2008
Messages
36
Changes:

Bugfixes:


Also fixes:
CVE-2022-42916: HSTS bypass via IDN
CVE-2022-42915: HTTP proxy double-free
CVE-2022-35260: .netrc parser out-of-bounds access
CVE-2022-32221: POST following PUT confusion
 
DirectAdmin intends to drop custom installation of cURL in favor of using the version installed from OS repository.
 
That s*cks...
Well, now solved it by changing the download URL in build;

CURL_DOWNLOADURL="${WEBPATH}/curl-${CURL_VER}.tar.gz"

into

CURL_DOWNLOADURL="https://curl.se/download/curl-${CURL_VER}.tar.gz"

That did it's job, still got it installed faster compared to the distro.
 
Last edited:
Be prepared that it’s possible that doesn’t work anymore in newer DA/CB versions
Yea... was already affraid of that..

Sucks because with some distro's (like Debian) it sometimes takes ages before a new update are taken into their repo's unless your using and satisfied with the unstable/testing branch. Besides that, I'm also wondering how secure it will remain. The past updates of Curl contained quite some security fixes to solve some vulnerabilities which isn't for nothing, so it's strange to see some people (here and there) say the OS version is good/safe enough.
 
Last edited:
DirectAdmin intends to drop custom installation of cURL in favor of using the version installed from OS repository.
That doesn't seem to be the most wise thing. See the release post of DA RC. I just posted in there.
Seems that the OS versions have older versions of curl present then currently used by DA custombuild.
 
@ps4all For Debian I routinely use backports repo to get newer versions of some applications, in most cases they are an acceptable version, but they won't be the latest, as long as they are patched i'm fine with not having the latest versions. (eg: Debian 11 curl is 7.74.0-1.3+deb11u2, bullseye-backports has 7.85.0-1~bpo11+1 at this time.)
 
curl from OS, it will patch directly from distro but it show version likely "7.61.1-XX".
Normally yes but when you execute the -V command you se this:
curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1k zlib/1.2.11 brotli/1.0.6 libidn2/2.2.0 libpsl/0.20.2 (+libidn2/2.2.0) libssh/0.9.6/openssl/zlib nghttp2/1.33.0
>>>>Release-Date: 2018-09-05<<<and no -25 mentioned>>>>>

But in the changelog they mention as latest backported 7.61.1. version :
2022-06-29 - Kamil Dudka <[email protected]> - 7.61.1-25
- setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION (#2063703)
- fix HTTP compression denial of service (CVE-2022-32206)
- fix FTP-KRB bad message verification (CVE-2022-32208)

So there is some confusion here , It is an good idea to keep the cURL managed by CB instead of OS
 
I just noticed this..... What is the reasoning here? I know both will install in the same paths (I assume), but if it ain't broken, don't try to fix it.

Has someone from the cPanel team joined JBMC?! /s

Edit: Just noticed CB does an apt/yum now before compile.... Hmmm
 
@ps4all For Debian I routinely use backports repo to get newer versions of some applications, in most cases they are an acceptable version, but they won't be the latest, as long as they are patched i'm fine with not having the latest versions. (eg: Debian 11 curl is 7.74.0-1.3+deb11u2, bullseye-backports has 7.85.0-1~bpo11+1 at this time.)
Exactly what i meant with unstable/testing branch cause in the end that's what backports is (at least, that's what I understood).

This whole decision is pretty strange, updates for Curl aren't rolled out for nothing (look at the vulnerability list) so I wonder if this isn't going to result into security issues.
 
So how we can update to a safe Curl version now?
especially on centos 7 which uses : 7.29.0
 
Removing cURL from CB is a poor action by DirectAdmin. My VPS has dozens of scripts looking for the "updated" version of cURL in /usr/local/bin which no longer exists. So, we can point to cURL version 7.29.0. That is way old!!

DirectAdmin intends to drop custom installation of cURL in favor of using the version installed from OS repository.

The update message this morning (for root) seems to verify this:

cURL 7.85.0 to OS update is available.

However, the previous version of cURL (7.85.0) in /usr/local/bin/ is now GONE!

Any suggestions on how to accomplish "... using the version installed from OS repository" ?
 
Last edited:
Ah, I think this a problem for my customers too. Running 7.29.0 now, but their functions aren't running anymore.

Code:
./build update_versions

Is not giving an update for cURL.
 
Another vote to keep cURL as it was. IMO it falls in the same category as apache.
The OS supplied cURL version is too far behind feature wise.
There are new features all the time.
 
Back
Top