cURL / Mailing Lists / curl-library / Single Mail


Yeah, Heartbleed

From: Daniel Stenberg <>
Date: Sat, 12 Apr 2014 23:48:18 +0200 (CEST)

Hey all,

(cross-posted to both curl-users and curl-library to reach widely, please send
responses to the proper single list.)

Nobody missed Heartbleed[1] this past week I'm sure. If you did, you must've
been on an awesomely disconnected vacation.

Anyway, I've gotten numerous questions about curl in this context so I wanted
to spell out the details once and for all.

Heartbleed is a flaw in OpenSSL in a certain version span. Clients are *also*
vulnerable to this flaw, which means that if you run curl or libcurl with a
vulnerable OpenSSL version a rogue server can read client memory.

Again, this is an OpenSSL flaw but since OpenSSL is a library, applications
that use it will be affected. If you use libcurl using OpenSSL then you are
affected too.

This is not a flaw in curl nor libcurl, we will not and cannot release
anything to adress this problem.

Things to do to avoid being affected include:

  - run a fixed OpenSSL version, or an older version from before the flaw was

  - build libcurl against the numerous other fine TLS libraries that we support

[1] =

List admin:
Received on 2014-04-12