cURL / Mailing Lists / curl-library / Single Mail

curl-library

CVE-2009-4355 and libcurl

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 14 Jan 2010 19:07:59 +0100 (CET)

FYI,

I just wanted to tell you about CVE-2009-4355 and an OpenSSL DoS
vulnerability: http://seclists.org/oss-sec/2010/q1/21 since several records
online show references to curl and libcurl in association with it.

I was contacted by the guys at rpath early on during the research of this
flaw, and as the Redhat bug entry
(https://bugzilla.redhat.com/show_bug.cgi?id=546707) shows they thought
libcurl was to blame initially.

It was however quickly determined that libcurl was not the culprit, it could
merely avoid the problem by changing code. The actual final fix was done to
OpenSSL and that's then what the final security alert is about.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2010-01-14

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: Question on how I should use curl_multi_perform"
Previous message: Yang Tse: "Re: [PATCH v4] OpenSSL vs. NSS clash on PKG_CONFIG_LIBDIR"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]