Update curl to resolve CVE-2023-38545

Hi everyone. In view of the recent vulnerability (CVE-2023-38545), it is recommended to get curl updated to version 8.4.0.

I am using self-managed gitlab instance (omnibus installation), and my cloud security center is flagging to me that there is a curl tool version 8.0.1-DEV , under the path “/opt/gitlab/embedded/lib/libcurl.so.4.8.0”.
I tried updating curl on my linux self-managed instance, but it seems to only update the curl tool under “usr/” path, but not the one in “/opt/gitlab/embedded/lib/libcurl.so.4.8.0”.

Appreciate if anyone knows how we can get it updated in “/opt/gitlab/embedded/lib/libcurl.so.4.8.0”.
Thank you in advance.

Gitlab 16.5.0 has been released, so you may wish to upgrade to this to see if the problem has been fixed. Although from the CVE link you provided, there is no such vulnerability anyway even with the older curl version - mainly because Gitlab isn’t configured in such a way that the vulnerability can be abused. It would require you to be using a SOCKS5 proxy somewhere in your configuration. So unless you configured this externally to Gitlab, or attempted to integrate it with your Gitlab configuration, you are not affected.

1 Like

Confirming that 16.5.0 uses Curl v8.4.0:

root@gitlab:~# head -1 /opt/gitlab/version-manifest.txt
gitlab-ee 16.5.0
root@gitlab:~# grep curl /opt/gitlab/version-manifest.txt
curl curl-840 git:d31a8424e8bac2725ee54a1678f1b679c5e31a18

Hi @iwalker @JamesRLopes apologies for the late reply, got distracted with other work.
Thanks for the info both! I have upgraded my GitLab to 16.5.0 and verified the curl is now v8.4.0.

1 Like

@iwalker and @JamesRLopes I did upgrade Gitlab to 16.6.4 and that fixed only curl vulnerability and not libcurl. Security Team flagged curl at path is /opt/gitlab-orig/embedded/lib/libcurl.so.4.8.0. How do I get that remediated.

/opt/gitlab-orig sounds like someone made a copy of /opt/gitlab. Since it’s not an official Gitlab directory since Gitlab is only in /opt/gitlab.