cURL

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Docs > Security > Advisory

Security Advisory July 10 2007

         libcurl GnuTLS insufficient cert verification Vulnerability
         ===========================================================
 
Project cURL Security Advisory, July 10th 2007
http://curl.haxx.se/docs/security.html
 
1. VULNERABILITY
 
libcurl (when built to use GnuTLS) fails to verify that a peer's certificate
hasn't already expired or hasn't yet become valid. This allows malicious
servers to present certificates to libcurl that won't be rejected properly.
 
Notably, the cacert and common name checks are still in place which reduces
the risk for random servers to take advantage of this flaw.
 
There is no known exploit at the time of this writing.
 
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2007-3564 to this issue.
 
2. AFFECTED VERSIONS
 
Affected versions: curl and libcurl 7.14.0 to and including 7.16.3
Not affected versions: curl and libcurl 7.13.2 and earlier, 7.16.4 and later
 
Note that libcurl needs to be built to use GnuTLS for this flaw to be in
effect.
 
Also note that (lib)curl is used by many applications, and not always
advertised as such.
 
3. RECOMMENDATIONS
 
We suggest you take one of the following actions immediately, in order of
preference:
 
 I - Upgrade to curl and libcurl 7.16.4
 
 II - Apply the patch http://curl.haxx.se/libcurl-gnutlscert.patch to your
      libcurl version and install this
 
 III - Build curl with SSL provided by another library, like OpenSSL or NSS
 
 IV  - Build curl with SSL disabled
 
4. TIME LINE
 
We were notified by Kees Cook on June 27th, 2007. His notification email
contained a valid patch.
 
We agreed on and coordinated the synchronous disclosure of this problem
together with the curl 7.16.4 release.
 
curl 7.16.4 was released on July 10 2007, just before this flaw was publicly
disclosed.
 
5. CREDITS
 
Reported to us by Kees Cook. Thanks a lot!

donate! Page updated March 21, 2014.
web site info

File upload with ASP.NET