[Daniel's week] September 15, 2023
daniel at haxx.se
Fri Sep 15 18:16:26 CEST 2023
Another packed week ends.
We put the 8.3.0 release  together and sent it out in the world on
Wednesday, did the release video and we have not received any alarming bugs
reported on this release just yet. It seems we might avoid doing a follow-up
patch release this time and I'm cautiously happy about this fact.
With the new release we also published CVE-2023-38039 , which we set to
severity medium and is another one of those "aargh that was so obvious so why
did we not think about this ourselves" moments. But yes, security is hard.
The story of the bogus curl CVE continued this week with this great episode
 from the Open Source Security podcast on the topic.
I also did a video interview with a reporter this week on the same topic where
I helped explain the issue and some of the problems I think exist in this
The story was also covered by LWN , but that article is still behind their
paywall for a few more days.
I am slightly overwhelmed but grateful by all the attention this subject has
received. I can only hope that it also brings some improvements with it as
This Thursday I visited a community tech day in Stockholm hosted by Keyfactor
 and I did a talk about QUIC + HTTP/3, what they are and how they are used
today. A topic I have covered what feels like a million times and the tech is
not "news" anymore, but it still seems to keep reaching new ears and teaching
more people about their existence.
Another talk of mine, done back in May this year, was when I visited the
myconf conference in Karlskrona Sweden, and talked "just curl it"  was made
public this week. That conference is one of my favorites so far this year,
thanks to its personal touch and the awesome hosting of me as a speaker.
Stephen Farrell mentioned his updated work on ECH  for curl (based on
previous work done by Niall O'Reilly) to the mailing list  and based on
that it sounds as if we might see an early PR for this coming up soon. I am
intrigued and curious. ECH makes use of the HTTPS DNS record  and we want
to add support for that record to curl for other purposes as well going
I have officially submitted the form applying for curl to become a CNA, to
manage curl related CVEs. I marked us as an "open source" CNA and I asked to
be put under the root CNA called Red Hat.
When doing this, I made sure there is a page on the curl now called
Vulnerability Disclosure Policy  and my application also references the
curl CVE page  as the place where all publicly posted CVEs will be listed.
I have no idea how long the onboarding process might be or how much work it
will entail. I will of course keep you posted on all and any progress in this
venture. I asked for our "onboarding session" to be done on one of the days
October 10, 11 or 12.
## Coming up
- the curl feature freeze holds until Sep 23
- tiny-curl release maybe finally?
- Thursday, another podcast recording (CVE related)
 = https://daniel.haxx.se/blog/2023/09/13/curl-8-3-0/
 = https://curl.se/docs/CVE-2023-38039.html
 = https://opensourcesecurity.io/2023/09/10/episode-392-curl-and-the-calamity-of-cve/
 = https://www.keyfactor.com/community-tech-meetup-23/
 = https://factor10.solidtango.com/watch/b28as4j3
 = https://curl.se/mail/lib-2023-09/0005.html
 = https://curl.se/dev/vuln-disclosure.html
 = https://curl.se/docs/security.html
 = https://lwn.net/Articles/944209/
 = https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
 = https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/12/
More information about the daniel