cURL / Mailing Lists / curl-library / Single Mail


Regression on FTP connections with --anyauth

From: Dan Fandrich <>
Date: Tue, 11 Feb 2014 22:57:02 +0100

curl 7.35.0 in commit 8ae35102c (the fix for CVE-2014-0015) introduces a
serious regression in handling reuse of FTP connections. The following
example shows the problem:

curl -v --anyauth \ \

as does adding --anyauth to the command section in test 210 (the test hangs
because the ftp server can only handle one connection at a time).

In prior versions, libcurl would reuse the FTP control connection for the
second URL. After that commit, it opens a new control connection, leaving the
old one open as well. After downloading a few files (i.e. opening a few
connections), FTP servers will often prevent further connections from the same
IP address as DOS protection, which causes all remaining downloads to fail.

This issue was reported at where
it causes Mageia package downloads to fail when several are being downloaded at

>>> Dan
List admin:
Received on 2014-02-11