curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: all previous curl CVEs as JSON ?

From: Timothe Litt <>
Date: Mon, 1 May 2023 07:08:20 -0400

On 01-May-23 06:16, Daniel Stenberg via curl-library wrote:
> See
> Let me know how we can perfect this. This JSON file will be
> automatically generated and provided on the curl site at a fixed URL.
Good start.  A few things to consider:

  * Use "summary" rather than "name"; name implies uniqueness.
  * Rather than hiding in description, add key for "known exploits" -
    value can be boolean. [will this be updated if updates are
    discovered after publication?  If not, what's the value of having it?]
  * Provide schema version in header object.  "project" can be in header
    object rather than each item.  Also include data release ("as of")
    date and/or version.  URL of schema description could be useful too.
  * Does each entry need a revision # (e.g. if the first fix is
  * should reporter,patcher be arrays?
  * example includes null severity values - should this be legal? Why
    would "patcher" be null? [If there's a reason, why not omit the key?]
  * including a link to the CVE on (was [text, and/or the GET API
    <>to return the CVE record]
  * providing a script that given a curl version (default to running
    curl on PATH), lists the unpatched CVEs [Put in curl-config?]
  * using the cve schema
  * (I'm not a fan, but a list of commits required to fix - for the
    selective patch distributions?)
  * If this is automated, how does the automation know when to include a
    CVE? When current release >= "last"?  Does this fit the final
    publication policy?
  * An API  to GET records applicable to a given curl version. (The full
    list is interesting to researchers, but probably no one else.  It
    will get big.)

Timothe Litt
ACM Distinguished Engineer
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

Received on 2023-05-01