cURL / Mailing Lists / curl-users / Single Mail

curl-users

Yeah, Heartbleed

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 12 Apr 2014 23:48:18 +0200 (CEST)

Hey all,

(cross-posted to both curl-users and curl-library to reach widely, please send
responses to the proper single list.)

Nobody missed Heartbleed[1] this past week I'm sure. If you did, you must've
been on an awesomely disconnected vacation.

Anyway, I've gotten numerous questions about curl in this context so I wanted
to spell out the details once and for all.

Heartbleed is a flaw in OpenSSL in a certain version span. Clients are *also*
vulnerable to this flaw, which means that if you run curl or libcurl with a
vulnerable OpenSSL version a rogue server can read client memory.

Again, this is an OpenSSL flaw but since OpenSSL is a library, applications
that use it will be affected. If you use libcurl using OpenSSL then you are
affected too.

This is not a flaw in curl nor libcurl, we will not and cannot release
anything to adress this problem.

Things to do to avoid being affected include:

  - run a fixed OpenSSL version, or an older version from before the flaw was
    introduced

  - build libcurl against the numerous other fine TLS libraries that we support

[1] = http://heartbleed.com/

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-04-12