Vulnerable curl version

Hello - if your install says you may have a vulnerable curl install and furthermore, says:
try running curl -v https:/xxxxxxxx.com/matomo/matomo.js on your server and see if it is able to fetch the file successfully

That’s not very useful: because what is the verdict if it is or isn’t able to retrieve the file successfully? It would be more useful to indicate that it is or isn’t vulnerable based on what it retrieves rather than just asking the admin to see if it fetches the file successfully.

In case you are referring to the output from https://plugins.matomo.org/DiagnosticsExtended, keep in mind that this plugin is experimental (as indicated by the :test_tube: icon).

The vulnerable curl version check just compares your curl version with https://curl.se/docs/security.html. Keep in mind that there are many vulnerabilities that don’t affect curl when used in Matomo and the last ones were only reported last week, so it might take a while for the fixes to land on every system.

That message is completly independent of the curl vulnerability check. Instead it tries to access matomo.js to check if it is is served by your webserver with the correct mime type and gzipped.

Well I did run:
[root@xxxxx ~]# rpm -q --changelog curl | grep CVE-2022-27776
[root@xxxxx ~]# rpm -q --changelog curl | grep CVE-2022-27775
[root@xxxxx ~]# rpm -q --changelog curl | grep CVE-2022-27774
[root@xxxxx ~]# rpm -q --changelog curl | grep CVE-2022-22576

Which were the ones listed in the security.html

And all returned zero output - does that mean those specific CVE’s are not present?

I don’t know which distribution you are using, but it seems like the issues are still open in Debian and Red Hat:
e.g.
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-22576
https://security-tracker.debian.org/tracker/CVE-2022-22576

Centos - and does this thread/diagnostics-extended refer to php or php-curl?

The curl check refers to the libcurl that PHP uses.

Matomo reports “Your curl version (7.81.0) might be vulnerable…” but when I run curl -V version it comes back as curl 7.29.0 so I’m trying to get the proper way to display the curl version for your reported error message. . .

Actually it reports:

libcurl/7.29.0

This is the code that detects the curl version:

This is what the following returns on my system that is running matomo:

curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

See attached screen shot. Why the discrepancy do you think? Am I using the wrong command?

You could try php -i | grep cURL to get the version of libcurl that your PHP binary is compiled against.

so your program is correct.

Results show:

php -i | grep cURL
cURL support => enabled
cURL Information => 7.81.0

Don’t know what curl -V is returning because in the response their shows: libcurl/7.29.0

Do you have a clue on how that should be updated/upgraded in Centos?