How to update cURL

著者:
Micah Silverman
Micah Silverman
wordpress-sync/feature-screenshot-mockup

October 11, 2023

0 分で読めます

On October 3, 2023, the curl team preannounced a pending fix for a high-severity vulnerability, which impacts both libcurl and curl

Snyk products help you identify and fix vulnerable packages and containers, but this vulnerability impacts curl, a command-line tool that many developers use on a daily basis. It's also distributed with many operating systems, so we thought it would be beneficial to provide some tips on how you can get it upgraded on your system.

How to Update cURL on your OS

In this section, we provide version check and upgrade advice for different operating systems. Knowing this in advance will help you upgrade when the 8.4.0 version is released.

Updating cURL on macOS

Note: This section covers using the latest version of curl on the latest version of MacOS running on M1 Mac’s. For Intel Macs or older versions of MacOS, your mileage may vary.

On macOS Ventura (13.5.2) and higher, curl is installed by default. However, it’s an older version of curl (8.1.2). Snyk recommends installing a newer version and setting this as your default, as the built-in version of curl has known vulnerabilities.

The good news is that if you update to the latest version following these instructions, you’ll be well prepared to update again when curl 8.4.0 is released.

The most popular third-party package manager for macOS is Homebrew. The latest version of curl on Homebrew is 8.3.0, released mid-September.

Install curl with Homebrew by executing the following:

brew install curl

You won’t be done just yet. This is what’s referred to as a “keg only” install. Homebrew takes care not to overwrite or override utilities that ship with macOS by default. So, you have to explicitly express that you want to use the Homebrew-installed version of curl over the system default. You do this by making sure that the Homebrew executable path is first in your system path. The default location for homebrew installs in macOS is /opt/homebrew (you can verify your homebrew path with the brew --prefix command), and you can prepend your path with the homebrew version via the following command (using your brew prefix):

echo 'export PATH="/opt/homebrew/opt/curl/bin:$PATH"' >> ~/.zshrc

Note: Previous versions of Homebrew used a different path, and previous versions of macOS used bash instead of zsh.

You can confirm that you’re using the correct version of curl by opening up a new terminal window and executing:

curl --version

You should see something like this:

curl 8.3.0 (aarch64-apple-darwin22.6.0) libcurl/8.3.0 (SecureTransport) OpenSSL/3.1.3 zlib/1.2.11 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libssh2/1.11.0 nghttp2/1.56.0 librtmp/2.3 OpenLDAP/2.6.6
Release-Date: 2023-09-13

When Homebrew is updated with the 8.4.0 version of curl, you can simply run thebrew install curl command again to get the latest version. 

We’ll update this post when the 8.4.0 version is released for Homebrew.

Updating cURL on Windows

Windows 10 (build 1803) and higher come with curl pre-installed but with an older version. To test that you have curl and what version you’re using, you’ll need to open the Command Prompt. Click on the Start menu and type cmd on your keyboard. In the Command Prompt, enter curl --version to see if you have curl installed and which version. Anything less than 8.4.0 will need to be updated.

C:\Users\bc>curl --version
curl 8.0.1 (Windows) libcurl/8.0.1 Schannel WinIDN
Release-Date: 2023-03-20
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
Features: AsynchDNS HSTS HTTPS-proxy IDN IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI threadsafe Unicode UnixSockets

Another thing to double-check is if you’re using the pre-installed version of curl on Windows or a separate curl installation. Check this by entering where curl in your Command Prompt. If the path shown in the result includes C:\Windows\System32, then it’s referencing the pre-installed version of curl:

C: \Users\bc>where curl
C: \Windows\System32\curl.exe

Once you’ve identified whether you have curl installed, what version you’re using, and whether it’s the pre-installed version or a separate install, you’re equipped with all the information you need to update to the latest version. When it comes to the pre-installed version of curl, this is provided and managed by Microsoft and, therefore, can only safely be updated through a Windows Update published by Microsoft. You can check for an official update to Windows by clicking on your Start menu, typing “Windows Update,” and selecting the “Check for updates” option. This will open the Settings app and display the Windows Update view. There, you can click on the “Check for updates” button to retrieve any of the latest updates released from Microsoft, and one will likely include the patched version of curl.

Outside of an official Windows Update, you do have some options to update to the latest version and use it instead of the pre-installed one. All of these options will involve modifying your PATH environment variables, so if you’re uncomfortable doing that, you should wait for an official Windows Update, as noted above.

Installing a newer version of curl on Windows can be done in a few ways: 

The quickest and easiest way to install/update curl on Windows is with Winget.

Installing cURL via Winget

In your command prompt, run winget install curl.curl. This will install curl using the native winget packages directory and add it to your User Path environment variable for you. However, when you run curl --version, it will default to the pre-installed curl on your system and not the newly installed version. 

Find the curl value Winget added to your User Path variable and copy it. Then, add it to your System Path variable as a top priority (above “C:\Windows\system32”). It should look similar to the following:

blog-fix-curl-environ-var

Once that’s done, go back to your Command Prompt and run refreshenv so it picks up your environment variable changes. When that completes, run curl --version to verify it is now using the latest installed version of curl that Winget installed for you.

Installing cURL via Chocolatey

First, install Chocolatey if you don’t already have it. You can read more about doing this from Chocolatey’s documentation. After it’s installed and ready to use, you can run the following command from the Command Prompt/terminal as an Administrator:

choco install curl
blog-fix-curl-admin-command

However, you’re not done yet. If you run curl --version, you’ll notice that it still reports as the previous/older version. To fix this, you need to update your system environment variables. Click on your Start menu, type Edit the system environment variables, and select the first option. Once the System Properties window opens, click the Environment Variables… button, which will open a new window titled Environment Variables. In this window, look for the System variables section and find the entry for Path under the Variable column.

blog-fix-curl-system-var-path

Click on the Edit… button to edit the value and find the entry for chocolatey as C:\ProgramData\chocolatey\bin. Select that entry and use the Move Up button to move it to the top of the list, then click OK.

Now, back in your Command Prompt/terminal, enter refreshenv to update with the changes you made to your environment variables. After that, run curl --version again, and you should see the updated version is now being used. You can also run where curl to see the two installed instances of curl on your machine: the first should be your new version installation location, and the second should show the system installation location. You’re all set to start using the new version of curl now.

C:\Users\bc>where curl
C:\ProgramData\chocolatey\bin\curl.exe
C:\Windows\System32\curl.exe

Updating cURL on Linux

If you run curl --version and determine that you're running a vulnerable version, you can update it on your system once the fixed version is available.

Updating curl on Linux largely depends on which package manager your distribution is using, but these commands should give you an idea of how to proceed based on your distro. Generically, you'll probably want to tell the package manager to refresh the package index cache and then install a new version. Specifically, per distro, you would:

  • For apt based distros, such as Debian or Ubuntu:

    • Update indexes: apt-get update

    • Install latest version: apt-get upgrade curl

  • For snap packages (primarily Ubuntu):

    • Install latest version: snap install curl

  • For distros that use dnf, such as RHEL, Rocky, and Fedora:

    • Check for updates: dnf check-update

    • Install latest version: dnf install curl

  • And for apk on Alpine:

    • Update indexes: apk update

    • Install latest version: apk add curl

Note that getting an upgraded version would have a prerequisite of the various distros updating their package repositories. If, after running the appropriate command for your distribution, you run curl --version, and you don’t see the 8.4.0, check your path to be sure no other version is installed ahead of it. Alternatively, you can go to curl - Download to find a compiled binary for your platform.

$ curl --version
curl 7.81.0
$ which curl
/home/ubuntu/bin/curl

$ echo $PATH
/home/ubuntu/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

$ /usr/bin/curl --version
curl 8.4.0

In the above example, a copy of the older version is at ~/bin/curl, and since that is in my path first, it’s picking it up. Remove the older version or take it out of your path to resolve.

Feeling Brave? Build curl yourself!

The latest build-from-source results in version 8.4.0-DEV. While there’s no guarantee that the latest code has the fix for the high vulnerability in it, if you’re comfortable with building from source, you will be able to get the absolute latest version first on October 11.

In this section, we’ll look at building on an M1 Mac running MacOS Ventura. The developer team, led by Daniel Stenberg (badger on GitHub), has done a remarkable job of making curl easy to build on different OS’s.

In the installation documentation, there’s a section on building and installing for Mac that worked out of the box for us. Note: You will need to have Xcode command line tools installed for this to work.

I executed the following to build curl:

autoreconf -fi
export ARCH=arm64
export SDK=macosx
export DEPLOYMENT_TARGET=13.0
export CFLAGS="-arch $ARCH -isysroot $(xcrun -sdk $SDK --show-sdk-path) -m$SDK-version-min=$DEPLOYMENT_TARGET"
./configure --host=$ARCH-apple-darwin --prefix $(pwd)/artifacts --with-secure-transport
make -j8

I then confirmed the build with the following:

./src/.libs/curl --version

curl 8.4.0-DEV (aarch64-apple-darwin) libcurl/8.4.0-DEV SecureTransport zlib/1.2.11
Release-Date: [unreleased]

You can then put this newly compiled curl in a local ~/bin dir or something earlier in your path than the default curl, until your distro/operating system provides an update. Once an update is available, we'd suggest adopting that and removing rogue copies in case of future vulnerabilities.

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk (スニーク) は、デベロッパーセキュリティプラットフォームです。Snyk は、コードやオープンソースとその依存関係、コンテナや IaC (Infrastructure as a Code) における脆弱性を見つけるだけでなく、優先順位をつけて修正するためのツールです。世界最高峰の脆弱性データベースを基盤に、Snyk の脆弱性に関する専門家としての知見が提供されます。

無料で始める資料請求

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon