Hi, I looked at the Audacity 3.7.2 change log but I don’t see a fix for CVE-2023-38545, CVE-2023-38546 and CVE-2024-7264 listed. Do you know if C:\Program Files (x86)\Audacity\libcurl.dll will be updated from 7.82.0 to 8.9.1 or newer to resolve the vulnerabilities in Audacity 3.7.2 ?
I’m on Ubuntu Linux. These bugs in libcurl have been fixed by the Debian security team. I have not checked other platforms.
Note that the risks described in these advisories are greatly reduced in Audacity because user supplied URLs cannot be used - the endpoints are hard coded to connect Audacity to on-line resources that are owned by Muse Group (who also own Audacity).
If you are still concerned about these advisories, you can turn of update checking in Audacity Preferences, avoid using the cloud storage feature, and decline sending crash reports.
It would be great if it was fixed on the Windows side as well. My vulnerability software keeps alerting on it.