cURL's own tracker had a banner stating severity High to be released October 11.<p>It's October 11 and was already October 11 for a lot of the world 13 hours ago (as of writing) when this patch was posted. Nothing was early, nothing was leaked.<p>EDIT: Why the downvotes? People don't like timezones or something?
The CVE page on curl.se is also online as of now: <a href="https://curl.se/docs/CVE-2023-38545.html" rel="nofollow noreferrer">https://curl.se/docs/CVE-2023-38545.html</a>
"[PATCH] socks: return error if hostname too long for remote resolve<p>Prior to this change the state machine attempted to change the remote resolve to a local resolve if the hostname was longer than 255 characters. Unfortunately that did not work as intended and caused a security issue."
Will people stop messing with unsafe buffers in C already? Even just using C++ with the most basic buffer/dynamic array template would have prevented this issue.
Wat.<p>So you can only be attacked if you're using a socks5 proxy, and even then you can only be attacked <i>by your own proxy</i>? Which rules out things like torsocks where you're running the proxy too.<p>Does this really merit all of last week's antics?