On 11/11/2014 4:03 PM, myriachan_at_cox.net wrote:
> Does libcurl have a policy on having code to protect against bugs being exploited in lower-level libraries? For example, this Windows SChannel bug:
>
> https://technet.microsoft.com/library/security/MS14-066
>
> It's an interesting question that I suppose would apply to, say, Heartbleed as well...?

What could libcurl do to mitigate against bugs in other libraries other
than what every contributor should already know which is to code to the
specification? And if the code or specification is bad then that's a
different discussion; a discussion which will (should) happen because
everything that goes into libcurl has eyes on it (ie this mailing list).
To be fair there's not a whole lot of information on that schannel bug
and nothing in their acknowledgements but I don't know what type of
libcurl policy could prevent against that or heartbleed or anything like it.

There is exploit mitigation for Windows and the applications that run on
it. For example Microsoft has a free exploit mitigation toolkit, the
latest version released today [1]. Generally speaking though when you
increase security through mitigation it's inevitable you'll break
something, so test well. Mitigations help against the exploitation of
some vulnerabilities. Some.

[1]:
http://blogs.technet.com/b/srd/archive/2014/11/10/emet-5-1-is-available.aspx

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-11-12