[Vuln for dependency] Please release new .whl files by using newest curl

[F0otman]

Checklist

• I have searched for similar issues.
• For Python issues, I have tested with the latest development wheel.
• I have checked the release documentation and the latest documentation (for main branch).

My Question

The release files are using curl 7.X, but these softwares have many vulnerabilities
(See https://curl.se/docs/vulnerabilities.html)

Could u release new .whl files for cp11 & cp10 by using curl 8.9.0 ( it's also kind to update a new tag)? Our customers claimed me the Open3D contains the vluns by dependenying old version of curl

[timohl]

Here are the spots that have to change if anybody wants to upgrade:

This is for building from source:

Open3D/3rdparty/curl/curl.cmake

Lines 28 to 33 in f02e7d2

	if(BUILD_CURL_FROM_SOURCE)
	ExternalProject_Add(
	ext_curl
	PREFIX curl
	URL https://github.com/curl/curl/releases/download/curl-7_88_0/curl-7.88.0.tar.xz
	URL_HASH SHA256=fd17432cf28714a4cf39d89e26b8ace0d8901199fe5d01d75eb0ae3bbfcc731f

This also requires prebuilt curl to be uploaded in https://github.com/isl-org/open3d_downloads:

Open3D/3rdparty/curl/curl.cmake

Lines 64 to 76 in f02e7d2

	else()
	# Optimize for Ubuntu x86. Curl can take a long time to configure.
	#
	# To generate pre-compiled curl:
	# 1. Use Ubuntu 18.04 (eg. in docker), not 20.04+.
	# 2. -DBUILD_CURL_FROM_SOURCE=ON, build Open3D: make ext_curl
	# 3. cd build/curl
	# 4. tar -czvf curl_7.88.0_linux_x86_64.tar.gz include lib
	ExternalProject_Add(
	ext_curl
	PREFIX curl
	URL https://github.com/isl-org/open3d_downloads/releases/download/boringssl-bin/curl_7.88.0_linux_x86_64.tar.bz2
	URL_HASH SHA256=745f33ad65c550e1885a5341945a8a952123565cfb83b477433f3784857ec0ea

Also the readme gotta change (which already seems out of date):

Open3D/3rdparty/README.md

Lines 119 to 123 in f02e7d2

	--------------------------------------------------------------------------------
	curl 7.79.1 Curl license
	Curl is a command-line tool for transferring data specified with URL syntax.
	https://github.com/curl/curl
	--------------------------------------------------------------------------------

Sorry, I currently have no time to test building with latest curl and I am not sure how to upload anython to https://github.com/isl-org/open3d_download, but I hope that helps if you would like to create a pull request yourself.

[ssheorey]

Thanks @timohl for looking into this. I think this should be a quick / short PR. To upload to open3d_download, just upload the binary somewhere and make sure to add its SHA256 sum to the Open3D PR. Small files can be pllaced directly in the PR with a note and I'll move it to open3d_download, as long as the sha256sum matches.

Labelling as "good first issue" for someone to pick this up.