lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3844C59D3F7C4D93AED62EC55BCDB024@H270>
Date: Thu, 12 Oct 2023 00:58:16 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Subject: [FD] Defense in depth -- the Microsoft way (part 86): shipping
	rotten software to billions of unsuspecting customers

Hi @ll,

the 7 cURL versions after 8.0.1, released March 20, 2023,
<https://curl.se/docs/releases.html>, fix the following 3
vulnerabilities <https://curl.se/docs/vulnerabilities.html>:
CVE-2023-38039 <https://curl.se/docs/CVE-2023-38039.html>
CVE-2023-38545 <https://curl.se/docs/CVE-2023-38545.html>
CVE-2023-38546 <https://curl.se/docs/CVE-2023-38546.html>


Once again (really: for several months), in their VERY finite wisdom
(really: almost INFINITE sloppy- and lazyness), Microsoft but dares to
ship rotten and vulnerable software (i.e. cURL.exe 8.0.1) to billions
of unsuspecting customers, i.e. they fail MISERABLY in following their
own mantra "Keep your (build) systems patched".


The MSKB article <https://support.microsoft.com/en-us/kb/5031354>
titled "October 10, 2023-KB5031354 (OS Build 22621.2428)" provides
the following "file information" for Windows 11 22H2
<https://download.microsoft.com/download/5/4/4/544a5341-96a2-491f-9563-bf260206564f/5031354.csv>:

| "curl.exe","8.0.1.0","01-Oct-2023","02:06","559,616"
...
| "curl.exe","8.0.1.0","01-Oct-2023","02:06","445,952"
...
| "curl.exe","8.0.1.0","01-Oct-2023","02:06","498,688"
...
| "curl.exe","8.0.1.0","01-Oct-2023","02:24","566,272"
...
| "curl.exe","8.0.1.0","01-Oct-2023","02:24","498,688"


The MSKB article <https://support.microsoft.com/en-us/kb/5031356>
titled "October 10, 2023-KB5031356 (OS Builds 19044.3570 and 19045.3570)"
provides the following "file information" for Windows 10 22H2
<https://download.microsoft.com/download/e/9/9/e994fe4f-a5fe-49ae-ac4d-ce139efd147d/5031356.csv>:

| "curl.exe","8.0.1.0","30-Sep-2023","21:45","559,616"
...
| "curl.exe","8.0.1.0","30-Sep-2023","21:45","445,952"
...
| "curl.exe","8.0.1.0","30-Sep-2023","21:45","498,688"
...
| "curl.exe","8.0.1.0","30-Sep-2023","23:39","566,272"
...
| "curl.exe","8.0.1.0","30-Sep-2023","23:39","498,688"
...
| "curl.exe","8.0.1.0","30-Sep-2023","21:21","498,688"


The MSKB article <https://support.microsoft.com/en-us/kb/5031358>
titled "October 10, 2023-KB5031358 (OS Build 22000.2538)" provides
the following "file information" for Windows 11 21H2
<https://download.microsoft.com/download/0/1/7/01776958-e4d8-4015-82c9-72539ce3cbcc/5031358.csv>:

| "curl.exe","8.0.1.0","30-Sep-2023","20:15","559,616"
...
| "curl.exe","8.0.1.0","30-Sep-2023","20:15","445,952"
...
| "curl.exe","8.0.1.0","30-Sep-2023","20:15","498,688"
...
| "curl.exe","8.0.1.0","30-Sep-2023","22:23","566,272"
...
| "curl.exe","8.0.1.0","30-Sep-2023","22:23","498,688"


The MSKB article <https://support.microsoft.com/en-us/kb/5031361>
titled "October 10, 2023-KB5031361 (OS Build 17763.4974)" provides the
following "file information" for Windows 10 1809, Windows Server 1809,
and Windows Server 2019
<https://download.microsoft.com/download/2/8/9/289b2614-512f-4284-a36d-b1e7fee365bd/5031361.csv>:

| "curl.exe","8.0.1.0","29-Mar-2023","21:55","559,616"
...
| "curl.exe","8.0.1.0","29-Mar-2023","22:28","445,952"
...
| "curl.exe","8.0.1.0","29-Mar-2023","22:13","498,688"
...
| "curl.exe","8.0.1.0","29-Mar-2023","22:36","566,272"
...
| "curl.exe","8.0.1.0","29-Mar-2023","22:13","498,688"
...
| "curl.exe","8.0.1.0","30-Mar-2023","05:13","498,688"


stay tuned, and far away from rotten software oozing out of Redmond
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ