cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Is libcurl/curl affected by OpenSSL "DH small subgroups (CVE-2016-0701)"?

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Sat, 6 Feb 2016 03:16:30 -0500

On 1/29/2016 1:38 AM, Dana Burd wrote:
> Wise curl folks,
>
> There’s a new “high severity” vulnerability in OpenSSL 1.0.2:
> https://www.openssl.org/news/secadv/20160128.txt
>
> I’m curious if curl-7.40.0 is affected at all. I poked around the
> source, but it’s a bit over my head. Any insights appreciated…
> If curl-7.40.0 is affected, pointers on how to patch with the right
> OpenSSL option is even more appreciated!
>

CVE-2016-0701 looks primarily like a server issue. The server generated
the weak primes and libcurl doesn't have anything to do with that as far
as I can tell [1]. The responsibility to fix this seems to me to be on
the server. In other words you updating libcurl w/OpenSSL isn't going to
fix this or stop someone from possibly decrypting your traffic to a
vulnerable server. But you should update anyway, for every other
security reason. I'd hoped someone more knowledgeable about this would
reply, but it's been a week...

[1]:
http://intothesymmetry.blogspot.com/2016/01/openssl-key-recovery-attack-on-dh-small.html

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-02-06