3,085 questions
curl.exe 8.4.0.0 will be included with 2023-11 LCUs:
KB5032196: Win10 1809
KB5032189: Win10 22H2
KB5032198: Server 2022
KB5032192: Win11 21H2
KB5032190: Win11 22H2/23H2
KB5032202: Server 23H2
Patch for cURL 8.4.0 CVE-2023-38545 ETA?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 70%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Alexis Martinez
50
Reputation points
Any ETA when a patch for cURL 8.4.0 will be released. We currently see that cURL 8.4.0 has been released by the cURL project, but Microsoft hasn't released a patch for this? We need to get this patched immediately on our Windows 10 and Server appliances.
Our team has attempted to copy and paste the new version of cURL, but it appears that it reverts to the old version of cURL when a hardlink exists to the Windows Component Store. The only viable route would be to have Microsoft release a patch.
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Server | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 0%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECL%3C/text%3E%3C/svg%3E)
Chris Leonard (MS) 15 Reputation points2023-10-27T16:29:32.92+00:00 What are we supposed to do here Microsoft ?!? Deleting the file breaks system updates, manually updating is failing!!!
-
Alexis Martinez 50 Reputation points
2023-10-27T16:34:18.09+00:00 had this break a couple of systems on testing. You can easily fix it with, but it reverts to the original curl file.
dism /Online /Cleanup-Image /RestoreHealth sfc /scannow -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 5%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Reasoner, Brian 5 Reputation points2023-10-27T21:09:56.7633333+00:00 We really need some guidance from Microsoft on this issue.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 83%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
abbodi86 4,036 Reputation points2023-10-28T12:42:33.8633333+00:00 @Chris Leonard (MS) You can create a folder for external curl (released by the cURL project), e.g.: C:\cURL
then add that folder to PATH system environment, prepending "%SystemRoot%\system32" -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 1%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
Tiago Santana 0 Reputation points2023-11-06T18:57:59.4666667+00:00 Hi, someone applied the workaround suggested by Microsoft to mitigate this vulnerability and worked? I tested the Policy, but the Curl keep working after apply the policy and restart the device.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 57.00000000000001%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
Donald Jackson 25 Reputation points2023-11-06T20:54:49.44+00:00 I just found this... for what it's worth.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38039
-
Donald Jackson 25 Reputation points
2023-11-09T14:08:51.9666667+00:00 Here's the so-called "fix" https://answers.microsoft.com/en-us/windowserver/forum/all/how-to-update-curl-version-to-840/96edfd33-9316-4232-825b-bfb4ef147d6f My guess is that this is temporary and MS will release something next week on Tuesday.
Sign in to comment
3 answers
Sort by: Most helpful
-
abbodi86 4,036 Reputation points
2023-11-12T20:09:21.51+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 35%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EER%3C/text%3E%3C/svg%3E)
Eric Romo 0 Reputation points2023-11-14T21:22:17.34+00:00 Just patched with KB5032196, and cURL is still showing as 7.71.1. I also did not see anything mentioning cURL in the release notes. Did you observe something differently?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2023-11-16T11:39:05.45+00:00 Hi @abbodi86
When it would be available for the Windows 2019 server?
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 64%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETH%3C/text%3E%3C/svg%3E)
Tyler Hodges 0 Reputation points2023-10-31T17:29:50.8833333+00:00 Artic Wolf is showing this as a MySql vuln but nothing shows in Defender for Endpoint. Where's the patch?
-
Anonymous
2023-12-05T06:51:33.68+00:00 Hello Alexis Martinez
Microsoft has included curl.exe version 8.4.0 in the Windows Update released on November 14, 2023, for currently supported on-premises versions of Windows clients and servers.
You need to manually add the patch of the corresponding version from https://www.catalog.update.microsoft.com/Home.aspx, please refer to this link for the patch of the corresponding version:
Best Regards,
Hania Lian