Skip to content
  1. Jan 24, 2012
    • Daniel Stenberg's avatar
      gnutls: enforced use of SSLv3 · 70f71bb9
      Daniel Stenberg authored
      With advice from Nikos Mavrogiannopoulos, changed the priority string to
      add "actual priorities" and favour ARCFOUR. This makes libcurl work
      better when enforcing SSLv3 with GnuTLS. Both in the sense that the
      libmicrohttpd test is now working again but also that it mitigates a
      weakness in the older SSL/TLS protocols.
      
      Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html
      Reported by: Christian Grothoff
      70f71bb9
    • Daniel Stenberg's avatar
      tests: test CRLF in URLs · c11c30a8
      Daniel Stenberg authored
      Related to the security vulnerability: CVE-2012-0036
      
      Bug: http://curl.haxx.se/docs/adv_20120124.html
      c11c30a8
    • Daniel Stenberg's avatar
      URL sanitize: reject URLs containing bad data · 75ca568f
      Daniel Stenberg authored
      Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
      decoded manner now use the new Curl_urldecode() function to reject URLs
      with embedded control codes (anything that is or decodes to a byte value
      less than 32).
      
      URLs containing such codes could easily otherwise be used to do harm and
      allow users to do unintended actions with otherwise innocent tools and
      applications. Like for example using a URL like
      pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get
      a mail and instead this would delete one.
      
      This flaw is considered a security vulnerability: CVE-2012-0036
      
      Security advisory at: http://curl.haxx.se/docs/adv_20120124.html
      
      Reported by: Dan Fandrich
      75ca568f
    • Daniel Stenberg's avatar
      OpenSSL: don't disable security work-around · db1a856b
      Daniel Stenberg authored
      OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
      (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit
      to SSL_OP_ALL that _disables_ that work-around despite the fact that
      SSL_OP_ALL is documented to do "rather harmless" workarounds.
      
      The libcurl code uses the SSL_OP_ALL define and thus logically always
      disables the OpenSSL fix.
      
      In order to keep the secure work-around workding, the
      SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set and this change
      makes sure of this.
      
      Reported by: product-security at Apple
      db1a856b
  2. Jan 22, 2012
  3. Jan 21, 2012
  4. Jan 20, 2012
  5. Jan 19, 2012
  6. Jan 18, 2012
  7. Jan 17, 2012
  8. Jan 16, 2012
  9. Jan 15, 2012
  10. Jan 14, 2012
  11. Jan 13, 2012
  12. Jan 12, 2012