curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: (lib)curl and libssh(2) usage (CVE-2018-10933)

From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 17 Oct 2018 11:00:23 +0200 (CEST)

On Wed, 17 Oct 2018, Jörg Schmitz-Linneweber via curl-library wrote:

> I'm just wondering how or better _if_ the above mentioned flaw in libssh (or
> libssh2) affects curl.
>
> In my opinion it should not have any impact since curl needs libssh "only"
> for (transfer) protocols SCP and SFTP and the flaw in libssh affects
> (mostly) the server side.
>
> Of course I'll have a look in the sources. But perhaps someone has already
> done this? :-)

curl and libcurl are NOT affected by the above mentioned flaw.

The CVE-2018-10933 security vulnerability [1] affects libssh when run
server-side, which neither curl or libcurl ever do. They simply don't offer
that functionality.

The issue is a libssh-only vulnerability and doesn't affect libssh2 at all.

It can be noted that there aren't that terribly many servers out there in the
wild actually based on libssh. shodan [2] lists 6,353 of them. Still of course
if YOU run such a server, an upgrade is in place NOW.

[1] = https://www.libssh.org/security/advisories/CVE-2018-10933.txt
[2] = https://www.shodan.io/search?query=libssh

-- 
  / daniel.haxx.se

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-10-17

This message: [ Message body ]
Next message: Gabriel Zachmann via curl-library: "libcurl leaks information in freed memory"
Previous message: Jörg Schmitz-Linneweber via curl-library: "(lib)curl and libssh(2) usage (CVE-2018-10933)"
In reply to: Jörg Schmitz-Linneweber via curl-library: "(lib)curl and libssh(2) usage (CVE-2018-10933)"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]