cURL / Mailing Lists / curl-library / Single Mail

curl-library

CVE-2009-4355 and libcurl

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 14 Jan 2010 19:07:59 +0100 (CET)

FYI,

I just wanted to tell you about CVE-2009-4355 and an OpenSSL DoS
vulnerability: http://seclists.org/oss-sec/2010/q1/21 since several records
online show references to curl and libcurl in association with it.

I was contacted by the guys at rpath early on during the research of this
flaw, and as the Redhat bug entry
(https://bugzilla.redhat.com/show_bug.cgi?id=546707) shows they thought
libcurl was to blame initially.

It was however quickly determined that libcurl was not the culprit, it could
merely avoid the problem by changing code. The actual final fix was done to
OpenSSL and that's then what the final security alert is about.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2010-01-14