SOLVED Curl identified as vulnerable

jeffschips

Well-Known Member
Jun 5, 2016
270
36
78
new york
cPanel Access Level
Root Administrator
Hello. I hope everyone is safe and healthy.

CentOS Linux release 7.9.2009 (Core)
curl 7.29.0

I'm receiving notices from a service that my curl version needs to be upgraded. I'm also reading through tech articles some of which caution against upgrading.

So what is the story with cpanel and curl?
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,279
2,088
363
cPanel Access Level
Root Administrator
Hey there! I'm guessing this is for PCI compliance? If so, you can run this command with a search on the specific CVE they are flagging to show it has been patched:

Code:
rpm -q --changelog curl | grep CVE-####-####
If that command shows the CVE number being patched, Curl is updated on your machine to a version that isn't affected. If not, it may have never been vulnerable to begin with.

Depending on which Curl we're talking about - system Curl, or the php-curl package - the system Curl is provided directly by the OS and not cPanel. Here's an example from my personal AlmaLinux machine:

Code:
# yum list curl
Last metadata expiration check: 0:05:07 ago on Mon 02 May 2022 12:49:25 PM EDT.
Installed Packages
curl.x86_64                                                                         7.61.1-22.el8                                                                          @baseos
 
  • Like
Reactions: Spirogg

jeffschips

Well-Known Member
Jun 5, 2016
270
36
78
new york
cPanel Access Level
Root Administrator
Output of the suggested commands all return nothing for the specified CVE numbers. Based on what you stated I'm guessing a zero return means this version of curl I'm running is not vulnerable.

yum list curl shows:
7.29.0-59.el7_9.1

Which I'm pretty sure is not the latest but I'm also just guessing here.
 

jeffschips

Well-Known Member
Jun 5, 2016
270
36
78
new york
cPanel Access Level
Root Administrator
So the other program I run continues to say the version of libcurl that my PHP binary is compiled against is 7.81.0 and that it is vulernable. I know that's not cpanel specific but based on your experience are we talking about libcurl or php or neither here? It's really confusing. . .
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,279
2,088
363
cPanel Access Level
Root Administrator
So there's a few different packages:

curl
ea-php##-php-curl
libcurl

and they'll all have different versions. You'd be able to check libcurl for the CVE with the same command as above, just replacing the argument with libcurl:

Code:
rpm -q --changelog libcurl | grep CVE-####-####
Here's what I see on a CentOS 7 machine I updated this morning:

Code:
libcurl-7.29.0-59.el7_9.1.x86_64
curl-7.29.0-59.el7_9.1.x86_64