cURL / Mailing Lists / curl-library / Single Mail


Re: Yeah, Heartbleed

From: Rich Gray <>
Date: Sat, 12 Apr 2014 18:48:28 -0400

Daniel Stenberg wrote:
> Heartbleed is a flaw in OpenSSL in a certain version span. Clients are
> *also* vulnerable to this flaw, which means that if you run curl or libcurl
> with a vulnerable OpenSSL version a rogue server can read client memory.
> Again, this is an OpenSSL flaw but since OpenSSL is a library, applications
> that use it will be affected. If you use libcurl using OpenSSL then you are
> affected too.
Why it is called the Heartbleed Bug?

Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer
security protocols) heartbeat extension (RFC6520). When it is exploited it
leads to the leak of memory contents from the server to the client AND FROM

/QUOTE (my emphasis)

Wow, this is the first time I've heard that clients are vulnerable too. So
a malicious server could ping a client with a heartbeat and cause the client
to leak too... (Unless the client has configured that feature off?)

BTW, XKCD provides us with this beautifully simple explanation of the bug:

Thanks for bringing this to my attention!
List admin:
Received on 2014-04-13