Comments 4 Posted In Red Hat Enterprise Linux libcurl 8.4.0 not available in RedHat 8.8 Latest response 2023-11-17T00:57:39+00:00 Hello, I am trying to install libcurl version 8.4.0 using yum install libcurl. I can see that there is no update beyond version 7.61. How can I update libcurl to version 8.4.0 in RedHat 8.8? js Started 2023-11-08T21:18:51+00:00 by jsin9812 Newbie 5 points Log in to join the conversation Responses Sort By Oldest Sort By Newest JB Red Hat Guru 12699 points 8 November 2023 9:30 PM Jamie Bainbridge That later version is not available, even in RHEL 9. What is the reason you need an updated libcurl? If your concern is the recent Important CVE-2023-38545 that doesn't apply to RHEL 8's curl, and RHEL 9 has been repaired already. EE Newbie 15 points 15 November 2023 8:33 PM Eugene Ento Would that mean this is a false positive for RHEL 8 systems? I see this vulnerability showing up as a Critical and to also patch to 8.4.0 JB Red Hat Guru 12699 points 15 November 2023 11:06 PM Jamie Bainbridge It does appear to be a false positive. Looking at the patch which fixes this CVE, the issue was introduced with upstream socks: make the connect phase non-blocking in libcurl-7.69.0 and that code isn't present in RHEL 8's libcurl package. RHEL 8s libcurl package is based on upstream 7.61.1 and we didn't backport that above patch to RHEL. It appears this vulnerability was never introduced to RHEL 8 or earlier. Note: I'm not a security specialist nor curl specialist. This is just a discussion forum. If you need an "official" answer from Red Hat Product Security then please do email firstname.lastname@example.org. JB Red Hat Guru 12699 points 17 November 2023 12:57 AM Jamie Bainbridge We now have a knowledgebase page about this too: Is the curl Important CVE-2023-38545 in SOCKS proxy hostname fixed in RHEL?