Now available the new update version dand “cURL 7.71.0”, in which they focused on solving two serious bugs that allow access passwords and also the ability to overwrite files. That is why the invitation to upgrade to the new version is made.
For those unaware of this utility, they should know that serves to receive and send data over the network, Provides the ability to flexibly form a request by setting parameters such as cookie, user_agent, referer, and any other header.
cURL supports HTTP, HTTPS, HTTP / 2.0, HTTP / 3, SMTP, IMAP, POP3, Telnet, FTP, LDAP, RTSP, RTMP, and other network protocols. At the same time, a parallel update was released to the libcurl library, which provides an API to use all curl functions in programs in languages such as C, Perl, PHP, Python.
Main changes in cURL 7.71.0
This new version is an update and as mentioned at the beginning it comes to solve two bugs, which are the following:
- Vulnerability CVE-2020-8177- This allows an attacker to overwrite a local file on the system when accessing a controlled attack server. The problem only manifests itself when the "-J" ("–remote-header-name") and "-i" ("–head") options are used simultaneously.
The option "-J" allows you to save the file with the specified name in the "Content-Disposition" header. Si already exist a file with the same name, the program curl normally refuses to overwrite, but if the option "-I" is present, verification logic is violated and overwritten the file (verification is done at the response body reception stage, but with the "-i" option the HTTP headers go out first and have time to persist before processing the response body). Only HTTP headers are written to the file.
- The CVE-2020-8169 vulnerability: this could cause a leak in the DNS server of some passwords to access the site (Basic, Digest, NTLM, etc.).
When using the "@" character in a password, which is also used as a password delimiter in the URL, when an HTTP redirect is triggered, curl will send a part of the password after the "@" character along with the domain to determine name.
For example, if you specify the password "passw @ passw" and the username "user", curl will generate the URL "https: // user: passw @ passw @ example.com / path" instead of "https: user: passw% 40passw@example.com/path "and send a request to resolve the host" pasww@example.com "instead of" example.com ".
The problem manifests itself when enabling support for HTTP redirectors Relative (disabled through CURLOPT_FOLLOWLOCATION).
In the case of using traditional DNS, the DNS provider and the attacker can find information about a part of the password, which can intercept transit network traffic (even if the original request was made over HTTPS, as DNS traffic is not encrypted). When using DNS over HTTPS (DoH), the leak is limited to the DoH statement.
Finally, another of the changes that is integrated into the new version is the addition of the "–retry-all-errors" option for repeated attempts to perform operations when an error occurs.
How to install cURL on Linux?
For those who are interested in being able to install this new version of cURL They can do it by downloading the source code and compiling it.
To do this, the first thing we are going to do is download the latest cURL package with the help of a terminal, in it let's type:
wget https://curl.haxx.se/download/curl-7.71.0.tar.xz
Then, we are going to unzip the downloaded package with:
tar -xzvf curl-7.71.0.tar.xz
We enter the newly created folder with:
cd curl-7.71.0
We enter as root with:
sudo su
And we type the following:
./configure --prefix=/usr \ --disable-static \ --enable-threaded-resolver \ --with-ca-path=/etc/ssl/certs &&
make make install && rm -rf docs/examples/.deps &&
find docs \( -name Makefile\* -o -name \*.1 -o -name \*.3 \) -exec rm {} \; &&
install -v -d -m755 /usr/share/doc/curl-7.71.0 && cp -v -R docs/* /usr/share/doc/curl-7.71.0
Finally we can check the version with:
curl --version
If you want to know more about it, you can consult the following link.