cURL / Mailing Lists / curl-library / Single Mail

curl-library

Yeah, Heartbleed

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 12 Apr 2014 23:48:18 +0200 (CEST)

Hey all,

(cross-posted to both curl-users and curl-library to reach widely, please send
responses to the proper single list.)

Nobody missed Heartbleed[1] this past week I'm sure. If you did, you must've
been on an awesomely disconnected vacation.

Anyway, I've gotten numerous questions about curl in this context so I wanted
to spell out the details once and for all.

Heartbleed is a flaw in OpenSSL in a certain version span. Clients are *also*
vulnerable to this flaw, which means that if you run curl or libcurl with a
vulnerable OpenSSL version a rogue server can read client memory.

Again, this is an OpenSSL flaw but since OpenSSL is a library, applications
that use it will be affected. If you use libcurl using OpenSSL then you are
affected too.

This is not a flaw in curl nor libcurl, we will not and cannot release
anything to adress this problem.

Things to do to avoid being affected include:

- run a fixed OpenSSL version, or an older version from before the flaw was
introduced

- build libcurl against the numerous other fine TLS libraries that we support

[1] = http://heartbleed.com/

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2014-04-12

This message: [ Message body ]
Next message: Rich Gray: "Re: Yeah, Heartbleed"
Previous message: Daniel Stenberg: "Re: curl_failf causes crash with --enable-threaded-resolver"
Next in thread: Rich Gray: "Re: Yeah, Heartbleed"
Reply: Rich Gray: "Re: Yeah, Heartbleed"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]