Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code review Code style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

curl vs libcurl wording in security advisories

From: Fritsch, Daniel via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 20 Aug 2020 09:49:28 +0000

Hello everybody,

the differences between the monikers "curl", "cURL", and "libcurl" are well understood and documented [1]. However, the security advisories seem to not strictly follow this distinction. A few examples:

Advisory for CVE-2020-8231 [2]:

The description clarifies that this vulnerability affects libcurl and not curl. The "Affected Versions" section is consistent with that information and the distinction. However, the "Recommendations" section suggests to update curl (not libcurl, nor cURL).

Advisory for CVE-2020-8169 [3]:

The description only ever mentions libcurl, same for the "Affected Versions" section. However the "Info" section clearly mentions that this affects both curl and libcurl. Additionally, the "Recommendations" section suggests to update curl, without mentioning libcurl, even though the latter is affected as well.

Other advisories [4, 5] only mention curl, without clarifying if libcurl is affected as well (which is however likely).

Is there a specific reason for these divergence between different advisories?

Kind regards,

Daniel

[1] https://daniel.haxx.se/docs/curl-vs-libcurl.html

[2] https://curl.haxx.se/docs/CVE-2020-8231.html

[3] https://curl.haxx.se/docs/CVE-2020-8169.html

[4] https://curl.haxx.se/docs/CVE-2018-1000300.html

[5] https://curl.haxx.se/docs/CVE-2018-0500.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-08-20