[Security] Actions due to/Information around CVE-2023-38545

[JanEbbing]

The cURL project recently announced a high-severity security flaw affecting cURL and libcurl, with patches coming out on Oct 11th. DeepL takes security extremely seriously and is taking the appropriate internal measures to ensure the flaw is fixed in our systems ASAP. This issue serves to inform the users of our client libraries how this flaw affects the client libraries.

Affected libraries
We reviewed our dependencies and found no link to cURL in any library except this PHP one. This library uses the PHP cURL extension ext-curl, and does not itself include libcurl or similar. Hence, it is the user's responsibility to update the library on the system the client library is running on.

How can I check if I am affected?
Run this command in your console with the php binary that is also used for the client library. php -r "phpinfo(INFO_MODULES);" | grep cURL

If the cURL Information line shows a version below 8.4.0, you are affected and should update your system's cURL version.

How can I update?

This will depend on your operating system/how you installed cURL. You can find some general pointers for all major operating systems here.

[JanEbbing]

There is now an official article on the vulnerability.
Please update the curl installation on your system to 8.4.0

Affected versions: libcurl 7.69.0 to and including 8.3.0
Not affected versions: libcurl < 7.69.0 and >= 8.4.0

I will keep this issue open for a while (~few months) for visibility and eventually close it.