Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
backdoors and UMN
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 22 Apr 2021 08:55:54 +0200 (CEST)
Hi friends,
Just a few weeks ago I wrote a blog post about "how to backdoor curl" [1],
trying to look at and think about ways how a malicious actor could potentially
proceed to try to get bad code landed in curl.
Yesterday the news broke that researches at UMN (University of Minesota) did
exactly this against the Linux kernel project [2]: they submitted patches to
the project with deliberate flaws, in the same of research. Some of them were
merged before this was found out, but they're now all being reverted and
revetted. UMN has even been banned from further Linux work.
I did my part and checked: curl has never received or merged any
patches/commits from someone with a _at_umn.edu email address. We have not been a
target of this attack.
This Linux kernel attack shows that these kinds of methods and scenarios are
more than theoretical. They're actally used.
[1] = https://daniel.haxx.se/blog/2021/03/30/howto-backdoor-curl/
[2] =
https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh_at_linuxfoundation.org/
Date: Thu, 22 Apr 2021 08:55:54 +0200 (CEST)
Hi friends,
Just a few weeks ago I wrote a blog post about "how to backdoor curl" [1],
trying to look at and think about ways how a malicious actor could potentially
proceed to try to get bad code landed in curl.
Yesterday the news broke that researches at UMN (University of Minesota) did
exactly this against the Linux kernel project [2]: they submitted patches to
the project with deliberate flaws, in the same of research. Some of them were
merged before this was found out, but they're now all being reverted and
revetted. UMN has even been banned from further Linux work.
I did my part and checked: curl has never received or merged any
patches/commits from someone with a _at_umn.edu email address. We have not been a
target of this attack.
This Linux kernel attack shows that these kinds of methods and scenarios are
more than theoretical. They're actally used.
[1] = https://daniel.haxx.se/blog/2021/03/30/howto-backdoor-curl/
[2] =
https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh_at_linuxfoundation.org/
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://www.wolfssl.com/contact/ ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2021-04-22