libcurl 8.4.0 not available in RedHat 8.8

Latest response

Hello, I am trying to install libcurl version 8.4.0 using yum install libcurl.
I can see that there is no update beyond version 7.61.

How can I update libcurl to version 8.4.0 in RedHat 8.8?


That later version is not available, even in RHEL 9.

What is the reason you need an updated libcurl?

If your concern is the recent Important CVE-2023-38545 that doesn't apply to RHEL 8's curl, and RHEL 9 has been repaired already.

Would that mean this is a false positive for RHEL 8 systems? I see this vulnerability showing up as a Critical and to also patch to 8.4.0

It does appear to be a false positive.

Looking at the patch which fixes this CVE, the issue was introduced with upstream socks: make the connect phase non-blocking in libcurl-7.69.0 and that code isn't present in RHEL 8's libcurl package.

RHEL 8s libcurl package is based on upstream 7.61.1 and we didn't backport that above patch to RHEL. It appears this vulnerability was never introduced to RHEL 8 or earlier.

Note: I'm not a security specialist nor curl specialist. This is just a discussion forum. If you need an "official" answer from Red Hat Product Security then please do email