The libcurl component on the Windows 3.7.3 shows to be version 7.82.0.0. The oldest version acceptable as the fixed version is 8.4.0. Without this updated, my organization has to get a security exemption or remove the software.
thanks for the report, we’ll look into it.
FWIW: we only use curl to access trusted platforms for a handful of features (ie audacityteam.org for update checking and crash reporting, and audio.com for audio sharing). If you don’t require these features, you can disable them, ensuring that curl never gets used.
Hello,
I hope you don’t mind me chipping in here, but updating libcurl would also be very helpful to us, and possibly others. In the UK, many computers which are used in a business environment are audited for CE+ certification using tools such as Nessus, with the purpose of detecting potentially exploitable weaknesses in installed programs.
As with the original poster (Christina462), the presence of the old libcurl causes significant problems with achieving compliance, and may eventually force us to uninstall the software and search for alternatives. This would be a huge shame, since it is a genuinely useful tool in our toolkit!
Are you able to confirm categorically to us whether or not libcurl is used within Audacity in a way which could be explited as per CVE-2023-38545? I suspect from what you have said that it is ok, but confirmation would make it easier to get a security exemption in the meantime.
Thanks,
Chris