curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: FTPS session resumption on older curl-Version

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 28 Oct 2021 11:34:00 +0200 (CEST)

On Thu, 28 Oct 2021, Joscha Knobloch via curl-library wrote:

> It has the following curl version: curl 7.29.0

That version was released in early 2013. We've done almost *12,000* commits
and 72 releases since then.

I presume your OS vendor has patched the *60* individual security
vulnerabilities that are present in the original version of that release [1],
which then also has converted it into a frankencurl version you cannot expect
that anythone else than the centos maintainers can take responsiblity for.

> This is working fine with: curl 7.64.1

This is not only a newer curl release, you're also comparing with a curl built
to use a different TLS backend. It might matter.

> In wich version was this fixed?

I don't know

> I am not sure if i am looking in the right place because the entry from
> 6be2804 is still there on the latest tag of curl which is far newer than my
> local installation.

That commit just removed the entry from KNOWN_BUGS. It doesn't actually say
or hint about when the exact fix was done.

Besides, I'm not convinced you'll be much happier even if you figure out the
exact commit that made it work: You still need to update and why then make the
situation even more complicated by patching a frankencurl instead of just
going to a much much newer version anyway?

If you really want to find the exact commit, I think bisecting is the only
way.

> How would you go about updating curl to a newer version on CentOS7? Is there
> a repository that could be added?

I don't know anything about centos and centos repositories, but I know that
building a modern curl from source is usually possible and a viable
alternative even on these outdated systems.

[1] = https://curl.se/docs/vuln-7.29.0.html

-- 
  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2021-10-28