cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SECURITY VULNERABILITY: inappropriate GSSAPI delegation

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Thu, 7 Jul 2011 12:42:26 -0700

On Thu, Jul 07, 2011 at 03:14:15PM -0400, Rob Crittenden wrote:
> This completely disables delegation in libcurl. Are there plans to
> add an option for this or would you accept a patch to add this? The
> freeipa project needs to be able to do delegation in libcurl.

That was a limitation we accepted in the interests of releasing a timely
fix and avoiding prematurely publicising the issue. Since none of the
core curl developers uses Kerberos, it would have been a bit risky to
develop a proper API without public feedback. I believe that patches
to add such an API would be welcome.

>>> Dan
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-07-07