[Daniel's week] September 15, 2023

Fri Sep 15 18:16:26 CEST 2023

Hi friends.

Another packed week ends.

## release

We put the 8.3.0 release [1] together and sent it out in the world on 
Wednesday, did the release video and we have not received any alarming bugs 
reported on this release just yet. It seems we might avoid doing a follow-up 
patch release this time and I'm cautiously happy about this fact.

## CVE

With the new release we also published CVE-2023-38039 [2], which we set to 
severity medium and is another one of those "aargh that was so obvious so why 
did we not think about this ourselves" moments. But yes, security is hard.

## bogus

The story of the bogus curl CVE continued this week with this great episode 
[3] from the Open Source Security podcast on the topic.

I also did a video interview with a reporter this week on the same topic where 
I helped explain the issue and some of the problems I think exist in this 
area.

The story was also covered by LWN [9], but that article is still behind their 
paywall for a few more days.

I am slightly overwhelmed but grateful by all the attention this subject has
received. I can only hope that it also brings some improvements with it as
well.

## talk

This Thursday I visited a community tech day in Stockholm hosted by Keyfactor
[4] and I did a talk about QUIC + HTTP/3, what they are and how they are used
today. A topic I have covered what feels like a million times and the tech is
not "news" anymore, but it still seems to keep reaching new ears and teaching
more people about their existence.

## myconf

Another talk of mine, done back in May this year, was when I visited the
myconf conference in Karlskrona Sweden, and talked "just curl it" [5] was made
public this week. That conference is one of my favorites so far this year,
thanks to its personal touch and the awesome hosting of me as a speaker.

## ECH

Stephen Farrell mentioned his updated work on ECH [10] for curl (based on
previous work done by Niall O'Reilly) to the mailing list [6] and based on
that it sounds as if we might see an early PR for this coming up soon. I am
intrigued and curious. ECH makes use of the HTTPS DNS record [11] and we want
to add support for that record to curl for other purposes as well going
forward.

## CNA

I have officially submitted the form applying for curl to become a CNA, to
manage curl related CVEs. I marked us as an "open source" CNA and I asked to
be put under the root CNA called Red Hat.

When doing this, I made sure there is a page on the curl now called
Vulnerability Disclosure Policy [7] and my application also references the
curl CVE page [8] as the place where all publicly posted CVEs will be listed.

I have no idea how long the onboarding process might be or how much work it
will entail. I will of course keep you posted on all and any progress in this
venture. I asked for our "onboarding session" to be done on one of the days
October 10, 11 or 12.

## Coming up

- the curl feature freeze holds until Sep 23
- tiny-curl release maybe finally?
- Thursday, another podcast recording (CVE related)

## Links

[1] = https://daniel.haxx.se/blog/2023/09/13/curl-8-3-0/
[2] = https://curl.se/docs/CVE-2023-38039.html
[3] = https://opensourcesecurity.io/2023/09/10/episode-392-curl-and-the-calamity-of-cve/
[4] = https://www.keyfactor.com/community-tech-meetup-23/
[5] = https://factor10.solidtango.com/watch/b28as4j3
[6] = https://curl.se/mail/lib-2023-09/0005.html
[7] = https://curl.se/dev/vuln-disclosure.html
[8] = https://curl.se/docs/security.html
[9] = https://lwn.net/Articles/944209/
[10] = https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
[11] = https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/12/

-- 

  / daniel.haxx.se