cURL / Mailing Lists / curl-library / Single Mail


Re: Protecting against inner library security bugs

From: Daniel Stenberg <>
Date: Wed, 12 Nov 2014 00:25:08 +0100 (CET)

On Tue, 11 Nov 2014, wrote:

> Does libcurl have a policy on having code to protect against bugs being
> exploited in lower-level libraries? For example, this Windows SChannel bug:

I'll just second Ray's comments in that we can't do a whole lot about bugs in
other libraries.

We do however make an effort to make libcurl safe and secure. Mostly with code
reviews, tests (involving running them with tools like valgrind) and static
code analyzers (like clang-analyzer, cppcheck and coverity).

We also have a documented process for handling discovered or suspected
security problems in curl or libcurl:

List admin:
Received on 2014-11-12