Hi

I just wanna share with you a little of what keeps me busy during the
days! ;-)

-- 
  Daniel Stenberg -- curl project maintainer -- http://curl.haxx.se/
---------- Forwarded message ----------
Date: Thu, 19 Oct 2000 09:57:00 +0200 (MET DST)
From: Daniel Stenberg <daniel_at_haxx.se>
To: webmaster_at_securityfocus.com
Subject: wrong facts about curl exploit
Hi
I trust webmaster is a valid receiver that can forward this mail to the
apropriate person!
I am the main author of curl, the tool that appeared in the Remote Buffer
Overflow Vulnerability specified at
	http://www.securityfocus.com/bid/1804
... the information and discussion are accurate, to the point and describes
the problem (even if somewhat unspecific). However, what is bothering me:
	The described exploit is *entirely* wrong!
The described exploit is a) not a remote buffer overflow b) not at all
present in all those versions listed in the advisory. c) hardly an exploit
since it just crashes older versions of the appliction.
There's a "buffer overflow" example posted in the curl bug report system that
would make a far better (and correct) example of how to crash curl using this
flaw.
I'd be happy to answer to any questions regarding this matter, and I would
like to see that section of the advisory corrected.
Thanks for an utterly important and useful service!
-- 
  Daniel Stenberg -- curl project maintainer -- http://curl.haxx.se/