| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3844C59D3F7C4D93AED62EC55BCDB024@H270> Date: Thu, 12 Oct 2023 00:58:16 +0200 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <fulldisclosure@...lists.org> Subject: [FD] Defense in depth -- the Microsoft way (part 86): shipping rotten software to billions of unsuspecting customers Hi @ll, the 7 cURL versions after 8.0.1, released March 20, 2023, <https://curl.se/docs/releases.html>, fix the following 3 vulnerabilities <https://curl.se/docs/vulnerabilities.html>: CVE-2023-38039 <https://curl.se/docs/CVE-2023-38039.html> CVE-2023-38545 <https://curl.se/docs/CVE-2023-38545.html> CVE-2023-38546 <https://curl.se/docs/CVE-2023-38546.html> Once again (really: for several months), in their VERY finite wisdom (really: almost INFINITE sloppy- and lazyness), Microsoft but dares to ship rotten and vulnerable software (i.e. cURL.exe 8.0.1) to billions of unsuspecting customers, i.e. they fail MISERABLY in following their own mantra "Keep your (build) systems patched". The MSKB article <https://support.microsoft.com/en-us/kb/5031354> titled "October 10, 2023-KB5031354 (OS Build 22621.2428)" provides the following "file information" for Windows 11 22H2 <https://download.microsoft.com/download/5/4/4/544a5341-96a2-491f-9563-bf260206564f/5031354.csv>: | "curl.exe","8.0.1.0","01-Oct-2023","02:06","559,616" ... | "curl.exe","8.0.1.0","01-Oct-2023","02:06","445,952" ... | "curl.exe","8.0.1.0","01-Oct-2023","02:06","498,688" ... | "curl.exe","8.0.1.0","01-Oct-2023","02:24","566,272" ... | "curl.exe","8.0.1.0","01-Oct-2023","02:24","498,688" The MSKB article <https://support.microsoft.com/en-us/kb/5031356> titled "October 10, 2023-KB5031356 (OS Builds 19044.3570 and 19045.3570)" provides the following "file information" for Windows 10 22H2 <https://download.microsoft.com/download/e/9/9/e994fe4f-a5fe-49ae-ac4d-ce139efd147d/5031356.csv>: | "curl.exe","8.0.1.0","30-Sep-2023","21:45","559,616" ... | "curl.exe","8.0.1.0","30-Sep-2023","21:45","445,952" ... | "curl.exe","8.0.1.0","30-Sep-2023","21:45","498,688" ... | "curl.exe","8.0.1.0","30-Sep-2023","23:39","566,272" ... | "curl.exe","8.0.1.0","30-Sep-2023","23:39","498,688" ... | "curl.exe","8.0.1.0","30-Sep-2023","21:21","498,688" The MSKB article <https://support.microsoft.com/en-us/kb/5031358> titled "October 10, 2023-KB5031358 (OS Build 22000.2538)" provides the following "file information" for Windows 11 21H2 <https://download.microsoft.com/download/0/1/7/01776958-e4d8-4015-82c9-72539ce3cbcc/5031358.csv>: | "curl.exe","8.0.1.0","30-Sep-2023","20:15","559,616" ... | "curl.exe","8.0.1.0","30-Sep-2023","20:15","445,952" ... | "curl.exe","8.0.1.0","30-Sep-2023","20:15","498,688" ... | "curl.exe","8.0.1.0","30-Sep-2023","22:23","566,272" ... | "curl.exe","8.0.1.0","30-Sep-2023","22:23","498,688" The MSKB article <https://support.microsoft.com/en-us/kb/5031361> titled "October 10, 2023-KB5031361 (OS Build 17763.4974)" provides the following "file information" for Windows 10 1809, Windows Server 1809, and Windows Server 2019 <https://download.microsoft.com/download/2/8/9/289b2614-512f-4284-a36d-b1e7fee365bd/5031361.csv>: | "curl.exe","8.0.1.0","29-Mar-2023","21:55","559,616" ... | "curl.exe","8.0.1.0","29-Mar-2023","22:28","445,952" ... | "curl.exe","8.0.1.0","29-Mar-2023","22:13","498,688" ... | "curl.exe","8.0.1.0","29-Mar-2023","22:36","566,272" ... | "curl.exe","8.0.1.0","29-Mar-2023","22:13","498,688" ... | "curl.exe","8.0.1.0","30-Mar-2023","05:13","498,688" stay tuned, and far away from rotten software oozing out of Redmond Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists