curl / Mailing Lists / curl-library / Single Mail


Re: (lib)curl and libssh(2) usage (CVE-2018-10933)

From: Daniel Stenberg via curl-library <>
Date: Wed, 17 Oct 2018 11:00:23 +0200 (CEST)

On Wed, 17 Oct 2018, Jörg Schmitz-Linneweber via curl-library wrote:

> I'm just wondering how or better _if_ the above mentioned flaw in libssh (or
> libssh2) affects curl.
> In my opinion it should not have any impact since curl needs libssh "only"
> for (transfer) protocols SCP and SFTP and the flaw in libssh affects
> (mostly) the server side.
> Of course I'll have a look in the sources. But perhaps someone has already
> done this? :-)

curl and libcurl are NOT affected by the above mentioned flaw.

The CVE-2018-10933 security vulnerability [1] affects libssh when run
server-side, which neither curl or libcurl ever do. They simply don't offer
that functionality.

The issue is a libssh-only vulnerability and doesn't affect libssh2 at all.

It can be noted that there aren't that terribly many servers out there in the
wild actually based on libssh. shodan [2] lists 6,353 of them. Still of course
if YOU run such a server, an upgrade is in place NOW.

[1] =
[2] =


Received on 2018-10-17