curl / Mailing Lists / curl-library / Single Mail


I renamed the security advisory pages

From: Daniel Stenberg via curl-library <>
Date: Mon, 20 Aug 2018 12:33:31 +0200 (CEST)


Just a FYI

1. I ran sed script on the security advisory web pages on the curl web site
and now all published previous security vulnerabilities are published with the
CVE number in the URL and there's no longer any private ID used there. For

All the former links (should) still work and permanently redirect do the new
URLs. Let me know if you find anything that broke.

We should always acquire official CVE numbers for all published advisories
anyway and possibly this should also make our advisories appear as more
"official" documentation for curl security flaws and become easier to search

2. In this process, I also merged what formerly was two separate security
vulnerabilities into a single one: CVE-2005-0490 to better conform with this
new approach. The issue was considered as one by MITRE back in the days while
we thought they were two different ones. With the new naming, it become
complicated to keep them separate.

This is really not very important since that's an issue fixed over 13 years
ago but someone might notice that the vulnerability counter thus shrunk and is
now claiming a total of 80 published vulnerabilities again - when it
previously said 81.

3. There's but one curl vulnerability that still doesn't have a valid CVE. I
cheated a bit and called it CVE-2003-XXXX for now:

I have applied for an official ID for this, but I'm not sure how they treat
requests for IDs for 15 year old issues. If I get an ID, I'll update
accordingly - otherwise I'll leave it like this.

Received on 2018-08-20