On Thu, 28 Oct 2021, Joscha Knobloch via curl-library wrote:
It has the following curl version: curl 7.29.0
That version was released in early 2013. We've done almost *12,000* commits and 72 releases since then.
I presume your OS vendor has patched the *60* individual security vulnerabilities that are present in the original version of that release [1], which then also has converted it into a frankencurl version you cannot expect that anythone else than the centos maintainers can take responsiblity for.
This is working fine with: curl 7.64.1
This is not only a newer curl release, you're also comparing with a curl built to use a different TLS backend. It might matter.
In wich version was this fixed?
I don't know
I am not sure if i am looking in the right place because the entry from 6be2804 is still there on the latest tag of curl which is far newer than my local installation.
That commit just removed the entry from KNOWN_BUGS. It doesn't actually say or hint about when the exact fix was done.
Besides, I'm not convinced you'll be much happier even if you figure out the exact commit that made it work: You still need to update and why then make the situation even more complicated by patching a frankencurl instead of just going to a much much newer version anyway?
If you really want to find the exact commit, I think bisecting is the only way.
How would you go about updating curl to a newer version on CentOS7? Is there a repository that could be added?
I don't know anything about centos and centos repositories, but I know that building a modern curl from source is usually possible and a viable alternative even on these outdated systems.
[1] = https://curl.se/docs/vuln-7.29.0.html -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
