curl-library
Re: (lib)curl and libssh(2) usage (CVE-2018-10933)
Date: Wed, 17 Oct 2018 11:00:23 +0200 (CEST)
On Wed, 17 Oct 2018, Jörg Schmitz-Linneweber via curl-library wrote:
> I'm just wondering how or better _if_ the above mentioned flaw in libssh (or
> libssh2) affects curl.
>
> In my opinion it should not have any impact since curl needs libssh "only"
> for (transfer) protocols SCP and SFTP and the flaw in libssh affects
> (mostly) the server side.
>
> Of course I'll have a look in the sources. But perhaps someone has already
> done this? :-)
curl and libcurl are NOT affected by the above mentioned flaw.
The CVE-2018-10933 security vulnerability [1] affects libssh when run
server-side, which neither curl or libcurl ever do. They simply don't offer
that functionality.
The issue is a libssh-only vulnerability and doesn't affect libssh2 at all.
It can be noted that there aren't that terribly many servers out there in the
wild actually based on libssh. shodan [2] lists 6,353 of them. Still of course
if YOU run such a server, an upgrade is in place NOW.
[1] = https://www.libssh.org/security/advisories/CVE-2018-10933.txt
[2] = https://www.shodan.io/search?query=libssh
-- / daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-10-17