curl / Mailing Lists / curl-meet / Single Mail


Re: More agenda!

From: Felix Hassert <>
Date: Wed, 1 Feb 2017 17:13:34 +0100


without being able to provide a talk on that topic myself, I would be interested in the "Curl Security Process".

It's documented at, I know. But I could imagine some anecdotal slides to show how the process has worked for some random/specific/interesting vulnerability.

Also, I would find it interesting to learn about the considerations (by the curl security team) of a potential vulnerabilities. How, e.g. is the exploitability and the impact determined? And especially, what kind of use of curl do you have in mind?

Another aspect of the security process is the collaboration with OS vendors. Who is informed before disclosure? And how do _they_ consider the impact?

The impact varies a lot depending of the usage context. For example, an error in the cookie handling can be a great threat for a proxy or middleware that uses libcurl. However, the same issue may be negligible for shell scripts using curl in a "wget" style. How do the responsible teams at RedHat, SUSE etc. think of vulnerabilities of curl vs. libcurl? RH ships 7.29 and they don't port all security patches. How do they decide?

This topic may also be suitable for a discussion :)

Best regards,

Felix Hassert
Sevenval Technologies GmbH
Cologne, Germany
curl-meet mailing list
Received on 2017-02-01