[Daniel's week] October 20, 2023

Daniel Stenberg daniel at haxx.se
Fri Oct 20 16:20:16 CEST 2023 

Hello,

Another week ends. This is some of the things that kept me occupied:

## 38545 update

It feels like CVEs has become a standing topic of my weekly emails recently, 
and of course it is here again this week. A lot of CVE stuff.

The aftermath of CVE-2023-38545 has been mostly as expected: there is a tail 
of users out there who now get CVE scanners to warn them about being 
vulnerable and some amount of those users are now contacting the curl project, 
me and wolfSSL asking for support how to deal with it. A typical quote from 
someone who shall remain nameless here: "can I get some assistance? We 
currently have 7,737 hosts affected".

On Windows we have not seen curl updated for this yet and even though I saw 
indications something is on its way there, my own toy laptop was updated to 
the latest Windows 10 patch status today and it remains on curl 8.0.1.

## LLM CVE

We disclosed a recent security vulnerability report we received [2] on
Hackerone against curl. The report suggested that we had leaked information
about the above mentioned CVE (CVE-2023-38545) before it was publicly
announced. The only problem was that it was all based on hallucinations put
together by Bard, the Google AI chatbot and contains exactly no truth.

The report instead consisted of text pieces together from old issues
combined with plain made up numbers and commit ids in a fairly confusing and
inconsistent matter. Luckily it was so bad that nobody wasted much time
discarding and closing the report.

Brodie Robertson did a good take on this on this YouTube channel [3].

## new CVE

Of course researchers and fellow hackers out there don't stop looking at curl
source code and applying pressure on the places where we are weakest, in their
pursuit to uncover more curl security vulnerabilities just because we recently
published a high severity vulnerability. This week a new and valid report
landed at Hackerone that at the current assessment will result in yet another
security advisory at severity level MEDIUM to be published in association with
the pending curl release 8.5.0.

At the moment I write this, we have so far received 401 security problem
reports on Hackerone since we started out bug-bounty program, out of which 62
turned into CVEs, and one is pending. A 15.7% hit rate. Almost one in six. And
of the rest, some also correctly identified bugs and we later fixed even if
they did not end up considered security related.

## pending curl release

Today, the curl 8.4.0 release is nine days old which means that tomorrow we
open the feature window and open the flood gates for changes to get merged for
the next release. All in accordance to our regular release cycle setup.

There were some regressions reported for 8.4.0, and some that affected
building curl, but none of them were at a terrible enough level, I believe, to
warrant a follow-up patch release. We now sail forward with the expectation to
ride through the full 56-day cycle until we ship again. Fingers crossed!

## HTTP/3

Tatsuhiro Tsujikawa is the hero behind ngtcp2 [6] and nghttp3 [7], one of the
solutions we can use to build HTTP/3 into curl. This week he shipped both
those libraries in version 1.0.0 with the intention to stop breaking the API
going forward and thus not shipping them as beta anymore. With third party
dependencies going out of beta, now curl can suddenly look forward to enabling
HTTP/3 support "for real" and remove the EXPERIMENTAL tag - at least if HTTP/3
support is added to curl with this library pair. curl also supports HTTP/3
using two other third party solutions (quiche and msh3) but they are both
still in beta and will therefore remain tagged EXPERIMENTAL.

There are some small steps remaining, but it seems likely this could happen
within the next few weeks so that we can ship it officially in curl 8.5.0.

It is of course still uncertain if any Linux distributions will actually
enable HTTP/3 for users even after this due to the unsatisfying situation with
TLS libraries: OpenSSL cannot be used as it lacks the necessary APIs as you
may well remember from my past whinings [8].

OpenSSL plans to ship their own QUIC implementation in their coming 3.2
release, but I don't know of any HTTP/3 library that works with that. nghttp3
is a QUIC independent library that I suppose could be used. curl has no
support for using OpenSSL's QUIC implementation. Presumably, once OpenSSL
ships something that works, there might pop up some interest to get that
started.

## Nordic APIs

I visited the Platform Summit 2023 conference [4] conference here in 
Stockholm, Sweden where I did a keynote I titled "next level curl". I got to 
tell the audience about plenty of the things we added and introduced to the 
curl command line tool the last few years. I think sometimes curl users get 
stuck on old versions and they have to be conservative with what options they 
use, so I wanted to have a go and show the audience some of the goodies, some 
highlights, of we have made curl do the last 4-5 years. Thirty minutes is 
nothing and I ran over a little bit, got some good questions from an 
interested audience and of course managed to hand out a bunch of stickers to 
curl fans in the post-talk hallway discussion. Fun!

I believe there will be a video of this talk posted online at later point and 
I will try to link it in a future weekly email of mine.

## Coffee with developers

My conversation with Christian Heilmann in the Coffee with Developers series
went online on YouTube this week [5]. Christian and I have common history both
as old Commodore 64 hackers from back in the day and as fellow ex-Mozillians.
We talked mostly about curl and related development topics (of course).

## Anniversaries

On October 13th 2013 we created the first CI jobs (on Travis CI) for curl that
verified the build in pull requests and commits. Today, we run some 140 plus
something for every commit and pull request, spread over five separate
services. We stopped using Travis CI in 2021 [9].

On October 19th 2017 I received the Polhem Prize award [10] for my work on
curl. That night, that event, remains as one of the most special days of my
life. I have not received a single medal since!

## Coming up

- Saturday: the curl feature window opens
- Thursday: I'm "guesting" another podcast

## Links

[1] = https://curl.se/docs/CVE-2023-38545.html
[2] = https://hackerone.com/reports/2199174
[3] = https://youtu.be/r0-tKuoiagY?si=GWwuAIg54xMKEt02
[4] = https://nordicapis.com/events/platform-summit-2023/
[5] = https://youtu.be/YQgAc4wlG94?si=UeRmwS2M81xZsx9T
[6] = https://nghttp2.org/ngtcp2/
[7] = https://nghttp2.org/nghttp3/
[8] = https://daniel.haxx.se/blog/2021/10/25/the-quic-api-openssl-will-not-provide/
[9] = https://daniel.haxx.se/blog/2021/06/14/bye-bye-travis-ci/
[10] = https://daniel.haxx.se/blog/2017/10/20/my-night-at-the-museum/


-- 

  / daniel.haxx.se

More information about the daniel mailing list