cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Yeah, Heartbleed

From: Rich Gray <rgray_at_plustechnologies.com>
Date: Sat, 12 Apr 2014 18:48:28 -0400

Daniel Stenberg wrote:
>
> Heartbleed is a flaw in OpenSSL in a certain version span. Clients are
> *also* vulnerable to this flaw, which means that if you run curl or libcurl
> with a vulnerable OpenSSL version a rogue server can read client memory.
>
> Again, this is an OpenSSL flaw but since OpenSSL is a library, applications
> that use it will be affected. If you use libcurl using OpenSSL then you are
> affected too.

http://heartbleed.com/
QUOTE
Why it is called the Heartbleed Bug?

Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer
security protocols) heartbeat extension (RFC6520). When it is exploited it
leads to the leak of memory contents from the server to the client AND FROM
THE CLIENT TO THE SERVER.

/QUOTE (my emphasis)

Wow, this is the first time I've heard that clients are vulnerable too. So
a malicious server could ping a client with a heartbeat and cause the client
to leak too... (Unless the client has configured that feature off?)

BTW, XKCD provides us with this beautifully simple explanation of the bug:
http://xkcd.com/1354/

Thanks for bringing this to my attention!
Rich
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-04-13