cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SECURITY VULNERABILITY: inappropriate GSSAPI delegation

From: Julien Chaffraix <julien.chaffraix_at_gmail.com>
Date: Tue, 12 Jul 2011 07:25:48 -0700

>> That was a limitation we accepted in the interests of releasing a timely
>> fix and avoiding prematurely publicising the issue.  Since none of the
>> core curl developers uses Kerberos, it would have been a bit risky to
>> develop a proper API without public feedback.  I believe that patches
>> to add such an API would be welcome.
>
> I think this patch should go on top of the Julien's patchset, which is not yet
> in.

I just pushed it in (sorry for the delay). It should now be easier to
have a consistent behavior when it comes to delegation.

> Could we make at least some consensus on the API change at this point?

Several people have requested that so it looks like we should honor the request.

> Chances are that Red Hat will need to fix this prior to the usptream fix.  My
> proposal is a new easy option CURLOPT_GSSAPI_DELEGATION that given 1L enables
> the old behavior.  Any objections?  Thanks in advance.

It looks like a good trade-off. Better would be to be able to choose
who to delegate to explicitly but I don't think GSSAPI let us have
this granularity.

Thanks for following up,
Julien

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-07-12