Curl identified as vulnerable

jeffschips

• May 02, 2022 07:50

Hello. I hope everyone is safe and healthy. CentOS Linux release 7.9.2009 (Core) curl 7.29.0 I'm receiving notices from a service that my curl version needs to be upgraded. I'm also reading through tech articles some of which caution against upgrading. So what is the story with cpanel and curl?

• 

  cPRex Jurassic Moderator

  • May 02, 2022 16:54

  Hey there! I'm guessing this is for PCI compliance? If so, you can run this command with a search on the specific CVE they are flagging to show it has been patched: rpm -q --changelog curl | grep CVE-####-####
  If that command shows the CVE number being patched, Curl is updated on your machine to a version that isn't affected. If not, it may have never been vulnerable to begin with. Depending on which Curl we're talking about - system Curl, or the php-curl package - the system Curl is provided directly by the OS and not cPanel. Here's an example from my personal AlmaLinux machine: # yum list curl Last metadata expiration check: 0:05:07 ago on Mon 02 May 2022 12:49:25 PM EDT. Installed Packages curl.x86_64 7.61.1-22.el8 @baseos
  

  0
• 

  jeffschips

  • May 02, 2022 17:15

  Output of the suggested commands all return nothing for the specified CVE numbers. Based on what you stated I'm guessing a zero return means this version of curl I'm running is not vulnerable. yum list curl shows: 7.29.0-59.el7_9.1 Which I'm pretty sure is not the latest but I'm also just guessing here.

  0
• 

  cPRex Jurassic Moderator

  • May 02, 2022 17:18

  That's the latest version available for a CentOS 7 machine, so you're likely good.

  0
• 

  jeffschips

  • May 02, 2022 20:24

  So the other program I run continues to say the version of libcurl that my PHP binary is compiled against is 7.81.0 and that it is vulernable. I know that's not cpanel specific but based on your experience are we talking about libcurl or php or neither here? It's really confusing. . .

  0
• 

  cPRex Jurassic Moderator

  • May 02, 2022 20:39

  So there's a few different packages: curl ea-php##-php-curl libcurl and they'll all have different versions. You'd be able to check libcurl for the CVE with the same command as above, just replacing the argument with libcurl: rpm -q --changelog libcurl | grep CVE-####-####
  Here's what I see on a CentOS 7 machine I updated this morning: libcurl-7.29.0-59.el7_9.1.x86_64 curl-7.29.0-59.el7_9.1.x86_64
  

  0
• 

  jeffschips

  • May 02, 2022 20:49

  Ok thank you for the illumination on that. Very useful. SOLVED.

  0
• 

  cPRex Jurassic Moderator

  • May 02, 2022 20:54

  I'm glad that helped!

  0

Please sign in to leave a comment.