On Fri, 13 Dec 2024, 陈星杵 via curl-library wrote:
I found that the affected version of CVE-2022-43551 on the "https://curl.se/docs/CVE-2022-43551.html"; is missing. First of all, thank you very much for the very clear explanation on the website about the root causes of vulnerabilities and patc. But based on my review and analysis of the code repository, I have found that this vulnerability still exists in 'curl-7_74_0'
Thanks for looking out for mistakes.The reason we don't say 7.74.0 for this CVE is that while the vulnerable code was actually present then, the HSTS feature was not enabled by default and was labled as experimental. It means that only users who would go against our explicit recommendation and use in production something what we say is experimental would be vulnerable in that version.
In 7.77.0 we removed the experimental label, so the code that was already in place then became actually vulnerable.
I believe this is the pragmatic way of dealing with the affected version range when it comes to experimental features that are supposed to be switched off in production.
-- / daniel.haxx.se || https://rock-solid.curl.dev
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
