Versions Compared

Version Old Version 48 New Version Current
Changes made by

Scott Cantor

Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Tip

This is the advisory page for Service Provider V3 releases. For older V2 SP advisories, refer to the V2 SecurityAdvisories page

...

Version

EOL

User Data Exposure

Resource Exposure

Session Hijacking

Denial of Service

Remote Exploit

Advisories

All


X

X

X

X

2018-08-03, 2018-01-23, 2014-04-09, 2011-10-24

3.5.0

3.4.1

Oct 2024

3.4.0

Jan 2023

3.3.0

Nov 2022

3.2.3

Dec 2021

3.2.2

Jul 2021

2021-06-22

3.2.1

Apr 2021

X

2021-04-26

3.2.0

Mar 2020

X

2020-03-17

3.1.0

Dec 2020

X

2020-08-31

3.0.4

Apr 2020

X

3.0.3

Mar 2019

X

2019-03-11

3.0.2

Dec 2018

X

2018-12-19a

3.0.1

Aug 2018

X

X

X

X

3.0.0

Jul 2018

X

...

In the event that we ship releases known to, or that we subsequently discover to, contain vulnerable libraries and do not have specific plans to immediately issue a patch with a newer version, we will document any known issues here, and our official position as to the lack of relevance of the issue to the software. It is not our aim to pass generic, context-free scanners that simply flag every issue. Automation is not a substitute for human judgement.

V3.4.1

  • OpenSSL on Windows Curl (last reviewed 20242025-0902-0305)

    • The version of OpenSSL 3.0 shipped on Windows at this time contains a number of non-impactful security vulnerabilities. Due to the effort involved, it is unlikely a new version will be supplied until a more significant need arises. Any advisory issued on or before the “last-reviewed” date above has been triaged.

    Curl (last reviewed 2024-07-31)

    • CVE-2024-7264

      • We don’t use the affected feature as we process cerrtificates separately from anything libcurl is doing with them.

    • CVE-2023-46218

      • We do not rely on cookies in our use of Curl.

    • CVE-2023-46219

      • We do not use the HSTS feature, this isn’t a web browser.

    • CVE-2024-0853

      • We do not rely on Curl to validate certificates

    • CVE-2024-2004

      • Even if this in fact affects libcurl itself and not just the command line, we don’t manipulate the protocols (we do for TLS protocols, but not schemes).

    • CVE-2024-2398

      • We don’t build with HTTP/2 support.

    • CVE-2024-6197

      We don’t use those TLS implementations

      CVE-2024-9681, CVE-2024-11053, CVE-2025-0725, CVE-2025-0167, CVE-2025-0665

      • The SP is not impacted by these issues.

  • OpenSSL on Windows (last reviewed 2025-02-11)

    • CVE-2024-9143, CVE-2024-12797

      • The SP is not impacted by these issues.

    • CVE-2024-6874

      We don’t ship curl on macOS

      13176

      • Use of ECDSA is rare, but not unsupported, so this is potentially an issue but the risk is quite low. We will issue a patch to update the library with this fix at the next opportunity but are not prioritizing it.