CVE-2023-28320: 
MySQL vulnerability analysis and mitigation

A denial of service vulnerability exists in curl versions 7.9.8 to 8.0.1 when built with the synchronous resolver. The vulnerability (CVE-2023-28320) was discovered and reported on April 2, 2023, and was fixed in curl version 8.1.0 released on May 17, 2023 (Curl Advisory).

The vulnerability occurs when curl is built to use the synchronous resolver, which allows name resolves to time-out slow operations using alarm() and siglongjmp(). When performing this operation, libcurl used a global buffer that was not mutex protected, potentially causing crashes or misbehavior in multi-threaded applications. The issue is classified as CWE-662: Improper Synchronization with a CVSS severity rating of Low (2.5) (Curl Advisory).

The vulnerability primarily affects multi-threaded applications using curl with the synchronous resolver. Most platforms and systems that build curl use either the threaded resolver or c-ares, which are not affected by this flaw. Additionally, since alarm() uses signals, which rarely mix well with threads, the risk of this vulnerability affecting many users is reduced (Curl Advisory).

The recommended mitigations include upgrading to curl version 8.1.0 or later, applying the patch to local versions, or avoiding the use of the synchronous name resolver option. The fix involves adding proper mutex protection for the buffer when curl supports timeout capabilities (Curl Advisory).