Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 2 Nov 2016 11:07:45 +0000
From: Stuart Henderson <stu@...cehopper.org>
To: oss-security@...ts.openwall.com
Subject: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host

On 2016/11/02 08:13, Daniel Stenberg wrote:
> In version 7.51.0, the parser function is fixed.
> 
> A [patch for CVE-2016-8625](https://curl.haxx.se/CVE-2016-8625.patch) is
> available.

This switches to using libidn2, which hasn't had a substantial commit
in around 5 years (https://gitlab.com/jas/libidn2/commits/master), and
currently doesn't even show up in the file listing for the https
version of alpha.gnu.org/gnu/libidn/. (Somehow http and https are
different; the https version has HSTS headers which you might need to
take into account if comparing).

Moving something as widely used as curl to this makes me feel a little
uneasy (and I'm a bit surprised it wasn't called out specifically in the
release notes).

Has anyone poked at it much yet?

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.