Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Some question about vulnerability
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 7 Mar 2025 08:49:48 +0100 (CET)
On Fri, 7 Mar 2025, 陈星杵 via curl-library wrote:
> regarding CVE-2022-43551[2], you mentioned that earlier versions might not
> be vulnerable due to HSTS feature was not enabled by default and was labled
> as experimental. So I'm wondering what the significance of doing this work
> is. For the reason, I would like to ask, how do you determine the impact
> range of a vulnerability? Do you rely on dynamic analysis by running a
> Proof-of-Concept (PoC) or static code review?
I believe I am the individual having done this work for just about all past
curl vulnerabilities.
I have never used a tool for this other than git and mostly manual code
inspection. I wouldn't trust a tool to do it right (and I was not even aware
there were tools for this), and for a lot of vulnerabilities we either don't
have an easy reproducible (that works the same across versions) or we run into
problems with building older curl versions etc.
Date: Fri, 7 Mar 2025 08:49:48 +0100 (CET)
On Fri, 7 Mar 2025, 陈星杵 via curl-library wrote:
> regarding CVE-2022-43551[2], you mentioned that earlier versions might not
> be vulnerable due to HSTS feature was not enabled by default and was labled
> as experimental. So I'm wondering what the significance of doing this work
> is. For the reason, I would like to ask, how do you determine the impact
> range of a vulnerability? Do you rely on dynamic analysis by running a
> Proof-of-Concept (PoC) or static code review?
I believe I am the individual having done this work for just about all past
curl vulnerabilities.
I have never used a tool for this other than git and mostly manual code
inspection. I wouldn't trust a tool to do it right (and I was not even aware
there were tools for this), and for a lot of vulnerabilities we either don't
have an easy reproducible (that works the same across versions) or we run into
problems with building older curl versions etc.
-- / daniel.haxx.se || https://rock-solid.curl.dev
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-03-07