Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 2 Nov 2016 12:53:04 +0100
From: Robert Scheck <>
Cc: Daniel Stenberg <>
Subject: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use
 wrong host

On Wed, 02 Nov 2016, Daniel Stenberg wrote:
> For example, `straß` is translated into `` using IDNA 2003 but
> is translated into `` using IDNA 2008. Needless to say, those
> host names could very well resolve to different addresses and be two
> completely independent servers. IDNA 2008 is mandatory for .de domains.
> curl is not alone with this problem, as there's currently a big flux in the
> world of network user-agents about which IDNA version to support and use.

From my point of view, this especially affects GNU libc for example.

On the other hand, I am wondering if this should be really classified as a
security related issue. Being interested in IDNA 2008 support myself, I did
some IDNA 2008 patches in the past, but practically IDNA 2008 support is
still not that widespread as I would wish. Does using an older standard (as
in IDNA 2003) really classify this issue as a security related one? If so,
I guess many upstreams should be explicitly made aware of that soon. Maybe
MITRE (or somebody else) could share their thoughts about this, too?

> It was first reported to the curl project on October 11 by Christian Heimes.

I reported the "ß" issue and the lack of IDNA 2008 support in cURL on Sun,
18 May 2014 17:17:03 +0200 directly to you, but I didn't classify it as a
security related issue though... ;-)


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.