headers
Daniel Stenberg | 24 Jan 10:18
Picon
Favicon
Gravatar

curl URL sanitization vulnerability

                      curl URL sanitization vulnerability
                      ===================================

Project cURL Security Advisory, January 24th 2012
http://curl.haxx.se/docs/security.html

1. VULNERABILITY

   curl is vulnerable to a data injection attack for certain protocols through
   control characters embedded or percent-encoded in URLs.

   When parsing URLs, libcurl's parser is very laxed and liberal and only
   parses as little as possible and lets as much as possible through as long as
   it can figure out what to do.

   In the specific process when libcurl extracts the file path part from a
   given URL, it didn't always verify the data or escape control characters
   properly before it passed the file path on to the protocol-specific code
   that then would use it for its protocol business.

   This passing through of control characters could be exploited by someone who
   would be able to pass in a handicrafted URL to libcurl. Lots of libcurl
   using applications let users enter URLs in one form or another and not all
   of these check the input carefully to prevent malicious ones.

   A malicious user might pass in %0d%0a to get treated as CR LF by libcurl,
   and by using this fact a user can trick for example a POP3 client to delete
   a message instead of getting it or trick an SMTP server to send an
   unintended message.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Stenberg | 24 Jan 10:18
Picon
Favicon
Gravatar

curl SSL CBC IV vulnerability

                         curl SSL CBC IV vulnerability
                         =============================

Project cURL Security Advisory, January 24th 2012
http://curl.haxx.se/docs/security.html

1. VULNERABILITY

   curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
   for the SSL/TLS layer.

   This vulernability has been identified (CVE-2011-3389) and is addressed by
   OpenSSL already as they have made a work-around to mitigate the problem.
   When doing so, they figured out that some servers didn't work with the
   work-around and offered a way to disable it.

   The bit used to disable the workaround was then added to the generic
   SSL_OP_ALL bitmask that SSL clients may use to enable work-arounds for
   better compatibility with servers. libcurl uses the SSL_OP_ALL bitmask.

   While SSL_OP_ALL is documented to enable "rather harmless" work-arounds, it
   does in this case effectively enable this security vulnerability again.

   There is no known exploit for this problem.

2. AFFECTED VERSIONS

   Only curl and libcurl builds that use OpenSSL are affected.

   Affected versions: curl 7.10.6 to and including 7.23.1
(Continue reading)

Permalink | Reply | 1 comment |
headers
Daniel Stenberg | 24 Jan 10:17
Picon
Favicon
Gravatar

ANNOUNCE: curl and libcurl 7.24.0

Hello!

I'm happy to announce that I've just packaged and uploaded another curl 
release. We've fixed many bugs and added a bunch of new features. As usual you 
get it from http://curl.haxx.se/

This time we also ship two security fixes, announced separately just within 
moments from now.

Curl and libcurl 7.24.0

  Public curl releases:         127
  Command line options:         149
  curl_easy_setopt() options:   192
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 907

This release includes the following security fixes:

  o curl was vulnerable to a data injection attack for certain protocols
    http://curl.haxx.se/docs/adv_20120124.html
  o curl was vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
    http://curl.haxx.se/docs/adv_20120124B.html

This release includes the following changes:

  o CURLOPT_QUOTE: SFTP supports the '*'-prefix now [24]
  o CURLOPT_DNS_SERVERS: set name servers if possible [23]
  o Add support for using nettle instead of gcrypt as gnutls backend [22]
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Stenberg | 17 Nov 18:27
Picon
Favicon
Gravatar

ANNOUNCE: curl 7.23.1

Hi friends,

As we shipped 7.23.0 with a pretty annoying Windows curl bug - yes, ONLY in 
the windows version of the curl tool - I decided to build and ship 7.23.1 
right away.

If you're not using windows or if you only use libcurl, this upgrade offers 
nothing new.

Get 7.23.1 as usual from http://curl.haxx.se/

Curl and libcurl 7.23.1

  Public curl releases:         126
  Command line options:         149
  curl_easy_setopt() options:   192
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 907

This release includes the following bugfixes:

  o Windows: curl would fail if it found no CA cert, unless -k was used. Even
    if a non-SSL protocol URL was used

This release includes the following known bugs:

  o see docs/KNOWN_BUGS (http://curl.haxx.se/docs/knownbugs.html)

This release would not have looked like this without help, code, reports and
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Stenberg | 15 Nov 22:28
Picon
Favicon
Gravatar

ANNOUNCE: curl and libcurl 7.23.0

Hi friends,

I'm happy to announce that curl and libcurl 7.23.0 have been packaged and 
uploaded to the site at http://curl.haxx.se/

Curl and libcurl 7.23.0

  Public curl releases:         125
  Command line options:         149
  curl_easy_setopt() options:   192
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 873

This release includes the following changes:

  o Empty headers can be sent in HTTP requests by terminating with a semicolon
  o SSL session sharing support added to curl_share_setopt()
  o Added support to MAIL FROM for the optional SIZE parameter
  o smtp: Added support for NTLM authentication
  o curl tool: code split into tool_*.[ch] files

This release includes the following bugfixes:

  o handle HTTP redirects to "//hostname/path"
  o SMTP without --mail-from caused segfault
  o prevent extra progress meter headers between multiple files
  o allow Content-Length to be replaced when sending HTTP requests
  o curl now always sets postfieldsize to allow --data-binary and --data
    to be mixed in the same command line
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Stenberg | 13 Sep 19:35
Picon
Favicon
Gravatar

ANNOUNCE: curl and libcurl 7.22.0

Hi!

I'm happy to announce that curl and libcurl version 7.22.0 have just been 
uploaded to the site. Get it from http://curl.haxx.se/

Curl and libcurl 7.22.0

  Public curl releases:         124
  Command line options:         149
  curl_easy_setopt() options:   192
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 873

This release includes the following changes:

  o Added CURLOPT_GSSAPI_DELEGATION
  o Added support for NTLM delegation to Samba's winbind daemon helper ntlm_auth
  o Display notes from setup file in testcurl.pl
  o BSD-style lwIP TCP/IP stack experimental support on Windows
  o OpenSSL: Use SSL_MODE_RELEASE_BUFFERS if available
  o --delegation was added to set CURLOPT_GSSAPI_DELEGATION
  o nss: start with no database if the selected database is broken
  o telnet: allow programatic use on Windows

This release includes the following bugfixes:

  o curl_getdate: detect some illegal dates better
  o when sending a request and an error is received before the (entire) request
    body is sent, stop sending the request and close the connection after
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Stenberg | 23 Jun 11:39
Picon
Favicon
Gravatar

SECURITY VULNERABILITY: inappropriate GSSAPI delegation

                    libcurl inappropriate GSSAPI delegation
                    =======================================

Project cURL Security Advisory, June 23rd 2011
http://curl.haxx.se/docs/security.html

1. VULNERABILITY

   When doing GSSAPI authentication, libcurl unconditionally performs
   credential delegation. This hands the server a copy of the client's security
   credentials, allowing the server to impersonate the client to any other
   using the same GSSAPI mechanism. This is obviously a very sensitive
   operation, which should only be done when the user explicitly so directs.

   The GSS/Negotiate feature is only used by libcurl for HTTP authentication if
   told to, and only if libcurl was built with a library that provides the
   GSSAPI. Many builds of libcurl don't have GSS enabled.

   There is no known exploit for this problem.

   The Common Vulnerabilities and Exposures (CVE) project has assigned the name
   CVE-2011-2192 to this issue.

2. AFFECTED VERSIONS

   Affected versions: curl 7.10.6 to and including 7.21.6
   Not affected versions: curl < 7.10.6 and >= 7.21.7

   Also note that libcurl is used by many applications, and not always
   advertised as such.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Stenberg | 23 Jun 11:38
Picon
Favicon
Gravatar

ANNOUCE: curl and libcurl 7.21.7

Hi friends,

I'm happy to tell you that curl and libcurl 7.21.7 have just been uploaded. 
This time with an associated security advisory.

Enjoy!

Curl and libcurl 7.21.7

  Public curl releases:         123
  Command line options:         144
  curl_easy_setopt() options:   186
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 868

This release includes the following changes:

  o recognize the [protocol]:// prefix in proxy hosts where the protocol is one
    of socks4, socks4a, socks5 or socks5h.
  o Added CURLOPT_CLOSESOCKETFUNCTION and CURLOPT_CLOSESOCKETDATA

This release includes the following bugfixes:

  o SECURITY ADVISORY: inappropriate GSSAPI delegation. Full details at
    http://curl.haxx.se/docs/adv_20110623.html
  o NTLM: work with unicode
  o fix connect with SOCKS proxy when using the multi interface
  o anyauthput.c: stdint.h must not be included unconditionally
  o CMake: improved build
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Stenberg | 22 Apr 19:30
Picon
Favicon
Gravatar

ANNOUNCE: curl and libcurl 7.21.6

Hi friends!

Due to the significant bug with the broken HTTPS over HTTP proxy, I've 
packaged a new release and uploaded it to the site. Get it as usual from

 	http://curl.haxx.se/

Since this release comes just a few days after the previous release, we of 
course have not done many changes but I'm still listing them below.

Curl and libcurl 7.21.6

  Public curl releases:         122
  Command line options:         144
  curl_easy_setopt() options:   186
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 865

This release includes the following changes:

  o Added --tr-encoding and CURLOPT_TRANSFER_ENCODING

This release includes the following bugfixes:

  o curl-config: fix --version
  o curl_easy_setopt.3: CURLOPT_PROXYTYPE clarification
  o use HTTPS properly after CONNECT
  o SFTP: close file before post quote operations
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Stenberg | 17 Apr 23:33
Picon
Favicon
Gravatar

ANNOUNCE: curl and libcurl 7.21.5

Hi friends!

I'm happy to once again be able to let you know that we have a new release 
out. It counts no less than 5 changes and 41 bugfixes made during the 58 days 
since the previous release. As usual this is a team effort and the great 
people behind this release are mentioned below. Remember to buy them a beer if 
you ever run into one of them!

As usual, run over to http://curl.haxx.se/ to download the code. We keep track 
of all the binary packages we know of, but they will of course take some time 
to get updated.

The details for this particular release is listed below.

Curl and libcurl 7.21.5

  Public curl releases:         121
  Command line options:         143
  curl_easy_setopt() options:   185
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 854

This release includes the following changes:

  o SOCKOPTFUNCTION: callback can say already-connected
  o Added --netrc-file
  o Added (new) support for cyassl
  o TSL-SRP: enabled with OpenSSL
  o Added CURLE_NOT_BUILT_IN and CURLE_UNKNOWN_OPTION
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Stenberg | 17 Feb 14:08
Picon
Favicon
Gravatar

ANNOUNCE: curl and libcurl 7.21.4

Hi friends!

For the 120th time, I have the pleasure of announcing another release. It's 
taken us 64 days since the previous release and we offer you 29 bugfixes and 7 
changes. Enjoy!

Get 7.21.4 from the usual place: http://curl.haxx.se/

Curl and libcurl 7.21.4

  Public curl releases:         120
  Command line options:         143
  curl_easy_setopt() options:   185
  Public functions in libcurl:  58
  Known libcurl bindings:       39
  Contributors:                 834

This release includes the following changes:

  o CURLINFO_FTP_ENTRY_PATH now supports SFTP
  o introduced new framework for unit-testing
  o IDN: use win32 API if told to
  o ares: ask for both IPv4 and IPv6 addresses
  o HTTP: do Negotiate authentication using SSPI on windows
  o Windows build: alternative makefile
  o TLS-SRP: support added when using GnuTLS

This release includes the following bugfixes:

  o SMTP: add brackets for MAIL FROM
(Continue reading)

Permalink | Reply | 0 comments |

Gmane