cURL / Mailing Lists / curl-library / Single Mail

curl-library

backported patches and curl -V

From: Toby Peterson <toby_at_apple.com>
Date: Fri, 19 May 2006 16:11:54 -0700

I'm currently investigating the best way to convey to users the fact
that we've applied a security patch to the version of curl we're
shipping. Currently, the output of 'curl -V' is as follows:

curl 7.13.1 (powerpc-apple-darwin8.0) libcurl/7.13.1 OpenSSL/0.9.7i
zlib/1.2.3
Protocols: ftp gopher telnet dict ldap http file https ftps
Features: IPv6 Largefile NTLM SSL libz

However, it's really curl 7.13.1 with various security fixes applied.
As I'm sure you can understand, shipping an entirely new version in a
small security patch isn't preferred, given the amount of extra
testing required. Now, since the output of curl -V is documented, I'm
somewhat wary of making changes to it. But here's what I'd suggest,
and this should be helpful for other vendors who include curl:

curl 7.13.1 (powerpc-apple-darwin8.0) libcurl/7.13.1 OpenSSL/0.9.7i
zlib/1.2.3
Protocols: ftp gopher telnet dict ldap http file https ftps
Features: IPv6 Largefile NTLM SSL libz
Patches: APPLE-SA-2006-05-11

Of course, the 'APPLE-SA-2006-05-11' could be 'DSA-919' on Debian or
'GLSA-200603-25' on Gentoo, or simply 'CVE-2005-4077' on any system.

Any thoughts?

- Toby
Received on 2006-05-20