pryrt
commented
8 months ago @donho,
Users are starting to ask about this. https://community.notepad-plus-plus.org/topic/25136/libcurl-cve-2023-38545-in-updater
Closed xomx closed 8 months ago
pryrt
commented
8 months ago @donho,
Users are starting to ask about this. https://community.notepad-plus-plus.org/topic/25136/libcurl-cve-2023-38545-in-updater
blundsteatcisco
commented
8 months ago The CVE is critical and on our servers with external exposure, we can't downgrade it, which means it's getting management eyeballs over here.
pryrt
commented
8 months ago Since it's just a copy of libcurl.dll in the installed Notepad++\updater\ directory, could you just try getting a newer libcurl.dll from somewhere else and overwriting the one in the updater directory? That might at least be a short-term workaround. (I cannot guarantee it will work, but it would be worth trying, if you know another source for the DLL.)
https://snyk.io/blog/curl-high-severity-vulnerability-oct-2023/ https://curl.se/docs/CVE-2023-38545.html
Fixable by curl-8.4.0