I wanted to let you know that there's a recent curl CVE published and it doesn't look like it was acknowledged by the curl authors since it's not mentioned in the curl website: CVE-2020-19909
Note that the "2020" in the CVE ID is likely to be the year the report was submitted to the CNA (not sure who processed this), but it became public only this week. You won't be surprised to know that NVD rated it as a "Critical": https://nvd.nist.gov/vuln/detail/CVE-2020-19909 The CVE's description says: > Integer overflow vulnerability in tool_operate.c in curl 7.65.2 via crafted > value as the retry delay. And it points to: https://github.com/curl/curl/pull/4166 Cheers, -- Samuel Henrique <samueloph> -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
