Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <10n6r798-on4q-0439-9832-np61291n9os9@unkk.fr>
Date: Wed, 10 Sep 2025 14:22:51 +0200 (CEST)
From: Daniel Stenberg <daniel@...x.se>
To: Emilio Pozuelo Monfort <pochu27@...il.com>
cc: oss-security@...ts.openwall.com, 
    curl security announcements -- curl users <curl-users@...ts.haxx.se>, 
    libcurl hacking <curl-library@...ts.haxx.se>
Subject: Re: [SECURITY ADVISORY] curl: CVE-2025-10148:
 predictable WebSocket mask

On Wed, 10 Sep 2025, Emilio Pozuelo Monfort wrote:

> From what I can see, websocket support was introduced in 7.86 in [1], and 
> later marked as supported/not-experimental in 8.11 [2]. If so, I think the 
> above note (also in [3]) should say that it was experimental before 8.11.

Thank you. I don't know how I could get that wrong (as the introduced-in 
commit is the right one), but you are entirely correct. Thank you.

I will update the CVE.

-- 

  / daniel.haxx.se || https://rock-solid.curl.dev

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.