Closed K2Manning closed 8 months ago
pryrt
commented
11 months ago @donho, there's another user who just reported this in the Community, and included that it's specifically CVE-2023-32001 that is at issue.
So my reply here is a "ping" to remind you that it's still open. :-)
addendum: also, if this issue is fixed/closed, then the original notepad-plus-plus/notepad-plus-plus#13139 should also be closed
donho
commented
11 months ago pryrt
commented
8 months ago @donho,
When I was looking into https://community.notepad-plus-plus.org/topic/25136/libcurl-cve-2023-38545-in-updater , I was surprised to see that the user still got libcurl 7.79.1, since this closed issue said that libcurl was updated to v8.2.1 months ago.
However, I just checked the Notepad++ v8.5.8 installer, and the updater\libcurl.dll that is in the most recent installer still says that it's 7.79.1.
Did this wingup commit not get propagated to the Notepad++ installer? Or something else?
donho
commented
8 months ago @pryrt You're right about it. After checking the release process, I cannot find the the reason of this bad deployment. Anyway, I will check it more carefully in the future. Thank you for your heads up.
donho
commented
8 months ago pryrt
commented
8 months ago And for the record, I have independently confirmed that the v8.6 RC does indeed correctly ship with libcurl 8.4, which thus fixes both this and #50. :-)
Again, thank you for the fix.
donho
commented
8 months ago Thank you @pryrt for letting me know this issue!
mkruntest identified libcurl version 7.79.1-DEV in the latest version of NP++ (v8.4.9)
per curls website (https://curl.se/) v7,88.0 is the latest available and should mitigate the vulnerabilities identified here (https://curl.se/docs/vuln-7.79.1.html)
Is it possible for development to upgrade and test libcurl to the latest verion within NP++ to mitigate all open vulnerabilities?
Thank you Please have a great day