Need help on how to upgrade the curl.exe and libcurl.dll file versions on Windows
Hello, During our monthly Nessus Security Vulnerability Scan we have received a few separate results on needing to upgrade the version of the [curl.exe] and the [libcurl.dll] files on a few Windows machines, which I had a few questions on this... I was wondering how do I go about these upgrades as it seems the files are installed in a few separate locations? >From my understanding , the [curl.exe] and [libcurl.dll] files are used to help transfer data from these machines in the scan report like http / https and sql db traffic and such, is that correct?? If so, do I perhaps reach out to you guys on this, or is this something that the manufactures like HPE, Microsoft, SAP BusinessObjects, and the Shibboleth Support folks would assist on instead?? Here are the locations in question that require upgrades: . Path : C:\hp\hpsmh\modules\libcurl.dll Installed version : 7.49.1.0 Fixed version : 8.9.1 . Path : C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE\Mashup\ODBC Drivers\Simba Spark ODBC Driver\LibCurl32.DllA\libcurl.dll Installed version : 7.60.0.0 Fixed version : 8.9.1 . Path : C:\Program Files (x86)\SAP BusinessObjects\Crystal Reports for .NET Framework 4.0\Common\SAP BusinessObjects Enterprise XI 4.0\win32_x86\libcurl.dll Installed version : 7.78.0.0 Fixed version : 8.9.1 . Path : c:\program files\shibboleth\sp\lib\curl.exe Installed version : 8.4.0.0 Fixed version : 8.9.1 Path : c:\program files (x86)\shibboleth\sp\lib\curl.exe Installed version : 8.4.0.0 Fixed version : 8.9.1 . Thank you in advance for your help, Jody Sherwin -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
RE: Need help on how to upgrade the curl.exe and libcurl.dll file versions on Windows
Thanks guys! Original message From: Daniel Feenberg Date: 9/14/24 12:05 PM (GMT-05:00) To: Jody Sherwin via curl-users Cc: Jody Sherwin Subject: Re: Need help on how to upgrade the curl.exe and libcurl.dll file versions on Windows On Fri, 13 Sep 2024, Jody Sherwin via curl-users wrote: > Hello, > > During our monthly Nessus Security Vulnerability Scan we have received a > few separate results on needing to upgrade the version of the [curl.exe] > and the [libcurl.dll] files on a few Windows machines, which I had a few > questions on this... > > I was wondering how do I go about these upgrades as it seems the files are > installed in a few separate locations? > ... > If so, do I perhaps reach out to you guys on this, or is this something > that the manufactures like HPE, Microsoft, SAP BusinessObjects, and the > Shibboleth Support folks would assist on instead?? > ... Fandrich has good advice, if indeed the vendors noted are willing to help. If you are a small customer, they may not share your concerns and will refuse to help. In that case I would look at how curl is being used. If you only use it to contact sites known to be trustworthy, it would be reasonable to leave things be. If you have constraints that require a clean scan, try replacing the existing binaries with updated ones from the curl website. Save the existing ones and do some testing. It is likely to be fine. You may find this of interest: https://www.invicti.com/blog/web-security/why-curl-buffer-overflow-vulnerability-is-not-next-log4shell/ Daniel Feenberg NBER -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
