cURL / Mailing Lists / curl-library / Single Mail


Re: Is libcurl/curl affected by OpenSSL "DH small subgroups (CVE-2016-0701)"?

From: Ray Satiro via curl-library <>
Date: Sat, 6 Feb 2016 03:16:30 -0500

On 1/29/2016 1:38 AM, Dana Burd wrote:
> Wise curl folks,
> There’s a new “high severity” vulnerability in OpenSSL 1.0.2:
> I’m curious if curl-7.40.0 is affected at all. I poked around the
> source, but it’s a bit over my head. Any insights appreciated…
> If curl-7.40.0 is affected, pointers on how to patch with the right
> OpenSSL option is even more appreciated!

CVE-2016-0701 looks primarily like a server issue. The server generated
the weak primes and libcurl doesn't have anything to do with that as far
as I can tell [1]. The responsibility to fix this seems to me to be on
the server. In other words you updating libcurl w/OpenSSL isn't going to
fix this or stop someone from possibly decrypting your traffic to a
vulnerable server. But you should update anyway, for every other
security reason. I'd hoped someone more knowledgeable about this would
reply, but it's been a week...


List admin:
Received on 2016-02-06