cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [SECURITY ADVISORY 1/4] libcurl wrong re-use of connections

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Sun, 30 Mar 2014 21:15:28 +0200

On Sunday, March 30, 2014 15:34:49 Alessandro Ghedini wrote:
> On mer, mar 26, 2014 at 08:04:30 +0100, Daniel Stenberg wrote:
> > 3. THE SOLUTION
> >
> > libcurl 7.36.0 makes sure that connections are re-used more strictly.
> >
> > A patch for this problem is available at:
> > http://curl.haxx.se/libcurl-bad-reuse.patch
>
> I've been trying to backport that patch to curl 7.26.0 (used in Debian
> stable), but I've noticed that the connection reuse has changed drastically
> since then, and that patch doesn't seem to be enough to fix the issue (in
> fact, it actually breaks the test suite, since test 519 freezes for some
> reason). I haven't even tried to backport it to Debian oldstable (7.21.0).
>
> Is there someone that successfully backported it to something pre-7.30.0, or
> should I just give up?

I am attaching a patch for curl 7.29.0.

Kamil
Received on 2014-03-30