From 57904066acf3d2657bf223f81e776ae3b2d12027 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 7 Nov 2024 23:42:09 +0100 Subject: [PATCH 1/3] download: link to Rock-solid curl --- _download.html | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/_download.html b/_download.html index ca5e73eba9..76933bd3f4 100644 --- a/_download.html +++ b/_download.html @@ -52,6 +52,12 @@ +SUBTITLE(Long-term support) +

+ There are long-term support curl releases + called Rock-solid curl, provided + as a commercial offer. + SUBTITLE(Packages)

#include "dl/files.html" From 028f65d49365511206ffa21a64590ca0a0d3586d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 7 Nov 2024 23:43:58 +0100 Subject: [PATCH 2/3] CVE-2024-9681.md: avoid the use of the word "will" --- docs/CVE-2024-9681.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/CVE-2024-9681.md b/docs/CVE-2024-9681.md index c47d71aecc..6849f3c2fb 100644 --- a/docs/CVE-2024-9681.md +++ b/docs/CVE-2024-9681.md @@ -42,7 +42,7 @@ was otherwise intended to *possibly* be protected. But: `example.com` as per above is deliberately setup for HSTS, and servers should -probably expect that clients will try upgrading to HTTPS for a while outside +probably expect that clients migth try upgrading to HTTPS for a while outside of the time range set in its headers. The access that fails in this scenario tries to use plain HTTP to the domain. From aa8fded2d58f78a84a2b38fb73e3f18f939f44b5 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 7 Nov 2024 23:45:31 +0100 Subject: [PATCH 3/3] fixup CVE-2024-9681.md words --- docs/CVE-2024-9681.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/CVE-2024-9681.md b/docs/CVE-2024-9681.md index 6849f3c2fb..551646423a 100644 --- a/docs/CVE-2024-9681.md +++ b/docs/CVE-2024-9681.md @@ -42,7 +42,7 @@ was otherwise intended to *possibly* be protected. But: `example.com` as per above is deliberately setup for HSTS, and servers should -probably expect that clients migth try upgrading to HTTPS for a while outside +probably expect that clients might try upgrading to HTTPS for a while outside of the time range set in its headers. The access that fails in this scenario tries to use plain HTTP to the domain. @@ -56,8 +56,8 @@ ends up in now and then completely without involving curl issues and therefore needs to have logic for. An application can for example work around the situation by simply toggling off HSTS. -This bug is **not** considered a *C mistake* (ie not likely to have been -avoided had we not been using C). +This bug is **not** considered a *C mistake* (not likely to have been avoided +had we not been using C). This flaw also affects the curl command line tool.