Like all major Linux distributions, Ubuntu backports security and bug fixes so that updates do not break applications due to version incompatibilities.
Ubuntu only packages the latest versions of software when there is a new Ubuntu release. Then, for the life of each Ubuntu release, they keep software patched to ensure security and stability without introducing breaking changes.
The table below lists the cURL version installed on each Ubuntu version. As long as your server's Ubuntu version has not reached its end of life, the cURL installation on your server is being regularly updated with security patches.
| Ubuntu Version | cURL Version | Changelog |
|---|---|---|
| Ubuntu 24.04 | cURL 8.5.0 | changelog |
| Ubuntu 22.04 | cURL 7.81.0 | changelog |
| Ubuntu 20.04 | cURL 7.68.0 | changelog |
| Ubuntu 18.04 | cURL 7.58.0 | changelog |
| Ubuntu 16.04 | cURL 7.47.0 | changelog |
| Ubuntu 14.04 | cURL 7.35.0 | changelog |
If you receive a PCI compliance warning telling you to update to the most recent version of cURL, your PCI scanner is most likely showing a false positive.
You do not and should not take any action to change your server.
Instead, let the company performing the PCI scan know the version of Ubuntu the server is running and the version of the cURL package installed on the server. You can get this information using the following commands:
lsb_release -r dpkg --list curl
You may also want to provide the company performing the scan with a link to the cURL changelog for your server's Ubuntu version (see the table above).