SOLVED Curl identified as vulnerable

[jeffschips]

Hello. I hope everyone is safe and healthy.

CentOS Linux release 7.9.2009 (Core)
curl 7.29.0

I'm receiving notices from a service that my curl version needs to be upgraded. I'm also reading through tech articles some of which caution against upgrading.

So what is the story with cpanel and curl?

 

[cPRex]

Hey there! I'm guessing this is for PCI compliance? If so, you can run this command with a search on the specific CVE they are flagging to show it has been patched:

rpm -q --changelog curl | grep CVE-####-####

If that command shows the CVE number being patched, Curl is updated on your machine to a version that isn't affected. If not, it may have never been vulnerable to begin with.

Depending on which Curl we're talking about - system Curl, or the php-curl package - the system Curl is provided directly by the OS and not cPanel. Here's an example from my personal AlmaLinux machine:

# yum list curl
Last metadata expiration check: 0:05:07 ago on Mon 02 May 2022 12:49:25 PM EDT.
Installed Packages
curl.x86_64                                                                         7.61.1-22.el8                                                                          @baseos

 

[jeffschips]

Output of the suggested commands all return nothing for the specified CVE numbers. Based on what you stated I'm guessing a zero return means this version of curl I'm running is not vulnerable.

yum list curl shows:
7.29.0-59.el7_9.1

Which I'm pretty sure is not the latest but I'm also just guessing here.

 

[cPRex]

That's the latest version available for a CentOS 7 machine, so you're likely good.

 

[jeffschips]

So the other program I run continues to say the version of libcurl that my PHP binary is compiled against is 7.81.0 and that it is vulernable. I know that's not cpanel specific but based on your experience are we talking about libcurl or php or neither here? It's really confusing. . .

 

[cPRex]

So there's a few different packages:

curl
ea-php##-php-curl
libcurl

and they'll all have different versions. You'd be able to check libcurl for the CVE with the same command as above, just replacing the argument with libcurl:

rpm -q --changelog libcurl | grep CVE-####-####

Here's what I see on a CentOS 7 machine I updated this morning:

libcurl-7.29.0-59.el7_9.1.x86_64
curl-7.29.0-59.el7_9.1.x86_64

 

[jeffschips]

Ok thank you for the illumination on that. Very useful. SOLVED.

 

[cPRex]

I'm glad that helped!