I'm having some issues with some of our devices that can't be updated to 14 (2017 devices), and I need to patch the cURL vuln CVE-2023-38545, with 14.2 cURL is being updated to 8.4, but in 13.6.3 it is not being patched.
Any solution for this?
From this article, it doesn't sound like most people would be affected by this vulnerability which is most likely why Apple is not patching it on older versions of macOS:
https://www.intruder.io/blog/curl-high-rated-cve-2023-38545
Does not seem like there is any reason for concern unless you have a system configuration using SOCKS5 proxy.
FYI, just because there is a high vulnerability issue....it does not mean every system is affected by the issue. Of course if it is possible to update it, then you should, but in this case you cannot do so. Even if you were to install a third party version, it still won't help with the macOS built-in version which will still exist and which apps could still access. Again, there is nothing for you to do except although the article I linked did mention a buffer size setting which may prevent the vulnerability. Those 2017 models are now on hardware life support anyway, so it won't be long before repairs are no longer possible and Ventura will no longer be supported by the end of 2025 with many third party apps also not allowing for new updates to their apps after that time either.
Your choice is to only run the absolute latest version of macOS released every year, or to live with the various unpatched vulnerabilities found in every older OS....even if it is only several months now in low priority mode. It is a balancing act IT admins must balance based on their business needs and use. This is what buying into the Apple ecosystem involves....if it is unacceptable, then you need to look at other ecosystems and operating systems.
User wrote " " I'm having some issues with some of our devices that can't be updated to 14 (2017 devices), and I need to patch the cURL vuln CVE-2023-38545, with 14.2 cURL is being updated to 8.4, but in 13.6.3 it is not being patched.
A - Do a search for " CVE-2023-38545 " in any of the below linked publication from Apple
Any solution for this?
If you believe it should be fixed by Apple >>
Then have a few suggestions ;
Start now and open an Apple Support Ticket as they are PAID Apple Employees to deal will these types of issues .
Product Feedback - Apple and make it known to Apple regarding this ongoing issue
About the security content of macOS Ventura 13.6.3
About the security content of macOS Sonoma 14.2
About the security content of macOS Sonoma 14.2.1
Sorry, I was reading this as iphones for some reason… insufficient post-holiday caffeine…
All available updates can be found in settings>Software Update.
Thank you for you reply, unfortunately we do have this vuln in some of our devices, just a little group are 2017 machines, we're now thinking of replacing them... We have some audits soon and the vuln tool detects this on most of our devices, anyway thank you for your response.
cURL vulnerability patch not available for macOS 13
