Fresh curl tomorrow will patch 'worst' security flaw in ages Start your patch engines – a new version of curl is due tomorrow that addresses a pair of flaws, one of which lead developer Daniel Stenberg describes as "probably the worst curl security flaw in a long time." Curl 8.4.0 will hit at around 0600 UTC (0800 CEST, 0700 BST, 0200 EST, 2300 PDT) on October 11 and deal with CVE-2023- …
Why wait a day? Or to put it another way, why announce a day early?
If it's urgent tomorrow it's urgent today so waiting a day (or however many days it's been) isn't justified. OTOH if it's really not ready don't announce it in advance and tip the bad guys off that it might be worth looking for something for which a patch isn't available. It doesn't make sense.
It's the lesser of two evils.
Right now, what they've given is a notification to the bad guys that there's exploitable code somewhere in curl, which means they can start hunting more carefully for it, but it's still a tough find (they've been hunting for this sort of stuff themselves for a long time).
However, if they didn't say anything prior to release of the patch, they'd be giving the bad guys exactly what they need: they can examine the patch and start exploiting it almost immediately. Meanwhile, half the world is still in bed or on the train, and the other half are in meetings, and would be caught off-guard.
I don't think they could avoid saying "it's in curl", because you need *some* indication of whether it's relevant to your environment or not. Plus, it gives people a hint that running curl as root really *isn't* a good idea right now.
He went on: "Overall, the best thing to do here is to not panic, but to install the patched packages ASAP, and don't forget that containers can also contain operating systems – so keep them in mind."As for Stenberg, he said: "Now you know. Plan accordingly.”
Is it both the Virtual AI Machine Scene and Pathetic Human InterReactions that be responsible for, and responsive with hostings of Conflict and CHAOS - [Clouds Hosting Advanced Operating Systems] - or is the Remote Systemic Madness and Inherent Mayhem for Exploitative Employment and Enjoyment a Singular Delight of the One exercised over the Other?
And if you could stimulate IT and simulate with AI, what would you propose be able to be done to help Others Enjoy the Employment and Exploitation of the One over Others? And is such a Conditioned Situation, a Universal Default for All and Everything in an Earthly position and of a human disposition and a Permanent Environmental State ?
What be your Plan whenever confronted and/or assaulted by that sort of Almighty Registered Grand AIMaster Piloted Plan? Suck it and see would be the wisest of them if unsure of what you are facing and dealing and 0day trading with, methinks.
"I cannot disclose any information about which version range is affected, as that would help identify the problem (area) with a very high accuracy so I cannot do that ahead of time."
So everyone looks for version range/area combinations that would fit this clue.
As others have said - why speak ahead of time?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
