On Wed, 3 Jan 2018, Wayne Davies wrote:
Can you confirm if version 7.48.0 is still being supported for security
patches???
Yes and no.
When we publish security advisories we always post at least one official patch
for the problem. That patch is made against a recent version of the source
code and in *most* cases that patch can be applied to a wide range of
versions. We also try to do security patches minimal so even if it wouldn't
apply 100% cleanly on an older version, it should be possible to manually fix
the merge collisions.
However, every once in a while you will find that the patch we release doesn't
work to apply to an older version that is still said to be vulnerable to the
problem. We simply don't have the man power nor bandwidth to make sure that we
have patches for all vulnerable versions.
Sometimes you will find that some of the Linux distro vendors adapts the fix
for their older curl versions they still support, and piggybacking on their
work can be a way to get a patch for an older curl version.
We don't actually have any "support" for anything but the very latest
versions. We don't have any maintained development branches other than master
so we never produce updates of old versions. We only release from the head of
the master branch.
--
/ daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
