Daniel Stenberg | 12 Apr 2013 10:52
Picon
Favicon
Gravatar

[SECURITY ADVISORY] libcurl cookie domain tailmatch

                        libcurl cookie domain tailmatch
                        ===============================

Project cURL Security Advisory, April 12th 2013
http://curl.haxx.se/docs/security.html

1. VULNERABILITY

   libcurl is vulnerable to a cookie leak vulnerability when doing requests
   across domains with matching tails.

   When communicating over HTTP(S) and having libcurl's cookie engine enabled,
   libcurl will store and hold cookies for use when subsequent requests are
   done to hosts and paths that match those kept cookies. Due to a bug in the
   tailmatching function, libcurl could wrongly send cookies meant for the
   domain 'ample.com' when communicating with 'example.com'.

   This vulnerability can be used to hijack sessions in targetted attacks since
   registering domains using a known domain's name as an ending is trivial.

   Both curl the command line tool and applications using the libcurl library
   are vulnerable.

   There are no known exploits available at this time.

   The Common Vulnerabilities and Exposures (CVE) project has assigned the name
   CVE-2013-1944 to this issue.

2. AFFECTED VERSIONS

(Continue reading)

Daniel Stenberg | 12 Apr 2013 10:52
Picon
Favicon
Gravatar

[RELEASE] curl and libcurl 7.30.0

Hello world!

I'm happy to present curl and libcurl version 7.30.0, readily available for
download from http://curl.haxx.se/ as usual.

Take note of the security advisory associated with this release. I'll post a 
separate mail about it in second.

This time I especially want to say THANK YOU to and highlight the large amount 
of contributors who have helped us make this release to what it is. Over 40 
names are listed below as having helped out with changes that are included in 
this release. See below for the full list of heroes.

Curl and libcurl 7.30.0

  Public curl releases:         132
  Command line options:         152
  curl_easy_setopt() options:   199
  Public functions in libcurl:  58
  Known libcurl bindings:       42
  Contributors:                 1005

***
   krb4 support is up for removal. If you care about it at all, speak up
   on the curl-library list asap!
***

This release includes the following changes:

  o imap: Changed response tag generation to be completely unique
(Continue reading)

Daniel Stenberg | 6 Feb 2013 11:25
Picon
Favicon
Gravatar

[RELEASE] curl and libcurl 7.29.0

Hello world!

I'm happy to present curl and libcurl version 7.29.0, readily available for 
download from http://curl.haxx.se/ as usual.

This time we have a little security advisory you may want to pay closer 
attention to...

Curl and libcurl 7.29.0

  Public curl releases:         131
  Command line options:         152
  curl_easy_setopt() options:   199
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 993

This release includes the following securify fix:

  o POP3/IMAP/SMTP SASL buffer overflow vulnerability [17]

This release includes the following changes:

  o test: offer "automake" output and check for perl better
  o always-multi: always use non-blocking internals [1]
  o imap: Added support for sasl digest-md5 authentication
  o imap: Added support for sasl cram-md5 authentication
  o imap: Added support for sasl ntlm authentication
  o imap: Added support for sasl login authentication
  o imap: Added support for sasl plain text authentication
(Continue reading)

Daniel Stenberg | 6 Feb 2013 11:24
Picon
Favicon
Gravatar

[SECURITY ADVISORY] libcurl SASL buffer overflow

                   libcurl SASL buffer overflow vulnerability
                   ==========================================

Project cURL Security Advisory, February 6th 2013
http://curl.haxx.se/docs/security.html

1. VULNERABILITY

   libcurl is vulnerable to a buffer overflow vulnerability when communicating
   with one of the protocols POP3, SMTP or IMAP.

   When negotiating SASL DIGEST-MD5 authentication, the function
   Curl_sasl_create_digest_md5_message() uses the data provided from the server
   without doing the proper length checks and that data is then appended to a
   local fixed-size buffer on the stack.

   This vulnerability can be exploited by someone who is in control of a server
   that a libcurl based program is accessing with POP3, SMTP or IMAP. For
   applications that accept user provided URLs, it is also thinkable that a
   malicious user would feed an application with a URL to a server hosting code
   targetting this flaw.

   This vulnerability can be used for remote code execution (RCE) on vulnerable
   systems.

   Both curl the command line tool and applications using the libcurl library
   are vulnerable.

   There is no known exploit for this problem. There has been

(Continue reading)

Daniel Stenberg | 20 Nov 2012 10:13
Picon
Favicon
Gravatar

[RELEASE] curl and libcurl 7.28.1

Hi friends!

During the last 41 days, 27 contributors helped out to fix at least 31 bugs 
and I'm happy to inform you that curl and libcurl 7.28.1 has been uploaded to 
the site, available as always from:

 	http://curl.haxx.se/

Curl and libcurl 7.28.1

  Public curl releases:         130
  Command line options:         152
  curl_easy_setopt() options:   199
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 979

This release includes the following changes:

  o metalink/md5: Use CommonCrypto on Apple operating systems
  o href_extractor: new example code extracting href elements
  o NSS can be used for metalink hashing [13]

This release includes the following bugfixes:

  o Fix broken libmetalink-aware OpenSSL build
  o gnutls: fix the error is fatal logic [1]
  o darwinssl: un-broke iOS build, fix error on server disconnect
  o asyn-ares: restore functionality with c-ares < 1.6.1 [2]
  o tlsauthtype: deal with the string case insensitively [3]
(Continue reading)

Daniel Stenberg | 10 Oct 2012 22:21
Picon
Favicon
Gravatar

ANNOUNCE: curl and libcurl 7.28.0

Hi friends!

It is with great joy I announce another curl and libcurl release. 75 days 
since the previous one the story continues.

Now run off and download this from http://curl.haxx.se as usual, or be a bore 
and wait until your distro package it for you! =)

Curl and libcurl 7.28.0

  Public curl releases:         129
  Command line options:         152
  curl_easy_setopt() options:   199
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 953

This release includes the following changes:

  o SSH: added agent based authentication
  o ftp: active conn, allow application to set sockopt after accept() call
    with CURLSOCKTYPE_ACCEPT
  o multi: add curl_multi_wait() [12]
  o metalink: Added support for Microsoft Windows CryptoAPI
  o md5: Added support for Microsoft Windows CryptoAPI
  o parse_proxy: treat "socks://x" as a socks4 proxy [17]
  o socks: Added support for IPv6 connections through SOCKSv5 proxy

This release includes the following bugfixes:

(Continue reading)

Daniel Stenberg | 27 Jul 2012 23:23
Picon
Favicon
Gravatar

ANNOUNCE: curl and libcurl 7.27.0

Friends!

Hurry on over to http://curl.haxx.se/download.html and download the fresh 
release! This time with new features and two new SSL libraries supported.

Curl and libcurl 7.27.0

  Public curl releases:         128
  Command line options:         152
  curl_easy_setopt() options:   199
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 953

This release includes the following changes:

  o nss: use human-readable error messages provided by NSS
  o added --metalink for metalink download support [5]
  o pop3: Added support for sasl plain text authentication
  o pop3: Added support for sasl login authentication
  o pop3: Added support for sasl ntlm authentication
  o pop3: Added support for sasl cram-md5 authentication
  o pop3: Added support for sasl digest-md5 authentication
  o pop3: Added support for apop authentication
  o Added support for Schannel (Native Windows) SSL/TLS encryption [2]
  o Added support for Darwin SSL (Native Mac OS X and iOS) [6]
  o http: print reason phrase from HTTP status line on error [8]

This release includes the following bugfixes:

(Continue reading)

Daniel Stenberg | 24 May 2012 18:19
Picon
Favicon
Gravatar

ANNOUNCE: curl and libcurl 7.26.0

Hello team!

I'm happy to announce that we once again managed to produce a release. curl 
and libcurl 7.26.0 have just been uploaded to our good old site at

 	http://curl.haxx.se/

The release notes for this episode of our never-ending saga follows here:

Curl and libcurl 7.26.0

  Public curl releases:         127
  Command line options:         151
  curl_easy_setopt() options:   199
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 929

This release includes the following changes:

  o nss: the minimal supported version of NSS bumped to 3.12.x
  o nss: human-readable names are now provided for NSS errors if available
  o add a manual page for mk-ca-bundle
  o added --post303 and the CURL_REDIR_POST_303 option for CURLOPT_POSTREDIR
  o smtp: Add support for DIGEST-MD5 authentication
  o pop3: Added support for additional pop3 commands

This release includes the following bugfixes:

  o nss: libcurl now uses NSS_InitContext() to prevent collisions if available
(Continue reading)

Daniel Stenberg | 22 Mar 2012 20:04
Picon
Favicon
Gravatar

ANNOUNCE: curl and libcurl 7.25.0

Hello friends!

I'm glad to once again tell you about an updated curl and libcurl package. I 
missed our 14th anniversary with just two days but instead I hope we have a 
bug or two fewer included!

As usual, fetch it from http://curl.haxx.se/

Enjoy!

Curl and libcurl 7.25.0

  Public curl releases:         127
  Command line options:         151
  curl_easy_setopt() options:   199
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 929

This release includes the following changes:

  o configure: add option disable --libcurl output [1]
  o --ssl-allow-beast and CURLOPT_SSL_OPTIONS added [2]
  o Added CURLOPT_TCP_KEEPALIVE, CURLOPT_TCP_KEEPIDLE, CURLOPT_TCP_KEEPINTVL [4]
  o curl: use new library-side TCP_KEEPALIVE options [5]
  o Added a new CURLOPT_MAIL_AUTH option [13]
  o Added support for --mail-auth [14]
  o --libcurl now also works with -F and more! [15]

This release includes the following bugfixes:
(Continue reading)

Daniel Stenberg | 24 Jan 2012 10:18
Picon
Favicon
Gravatar

curl URL sanitization vulnerability

                      curl URL sanitization vulnerability
                      ===================================

Project cURL Security Advisory, January 24th 2012
http://curl.haxx.se/docs/security.html

1. VULNERABILITY

   curl is vulnerable to a data injection attack for certain protocols through
   control characters embedded or percent-encoded in URLs.

   When parsing URLs, libcurl's parser is very laxed and liberal and only
   parses as little as possible and lets as much as possible through as long as
   it can figure out what to do.

   In the specific process when libcurl extracts the file path part from a
   given URL, it didn't always verify the data or escape control characters
   properly before it passed the file path on to the protocol-specific code
   that then would use it for its protocol business.

   This passing through of control characters could be exploited by someone who
   would be able to pass in a handicrafted URL to libcurl. Lots of libcurl
   using applications let users enter URLs in one form or another and not all
   of these check the input carefully to prevent malicious ones.

   A malicious user might pass in %0d%0a to get treated as CR LF by libcurl,
   and by using this fact a user can trick for example a POP3 client to delete
   a message instead of getting it or trick an SMTP server to send an
   unintended message.

(Continue reading)

Daniel Stenberg | 24 Jan 2012 10:18
Picon
Favicon
Gravatar

curl SSL CBC IV vulnerability

                         curl SSL CBC IV vulnerability
                         =============================

Project cURL Security Advisory, January 24th 2012
http://curl.haxx.se/docs/security.html

1. VULNERABILITY

   curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
   for the SSL/TLS layer.

   This vulernability has been identified (CVE-2011-3389) and is addressed by
   OpenSSL already as they have made a work-around to mitigate the problem.
   When doing so, they figured out that some servers didn't work with the
   work-around and offered a way to disable it.

   The bit used to disable the workaround was then added to the generic
   SSL_OP_ALL bitmask that SSL clients may use to enable work-arounds for
   better compatibility with servers. libcurl uses the SSL_OP_ALL bitmask.

   While SSL_OP_ALL is documented to enable "rather harmless" work-arounds, it
   does in this case effectively enable this security vulnerability again.

   There is no known exploit for this problem.

2. AFFECTED VERSIONS

   Only curl and libcurl builds that use OpenSSL are affected.

   Affected versions: curl 7.10.6 to and including 7.23.1
(Continue reading)


Gmane