Here's a user in the wild who was bitten by the Apple "backdoor" in #curl:
github.com/curl/curl/discussio…
Is there a feature to get intermediate certificates automatically? · curl curl · Discussion #14009
Question When studying certificate mechanisms, I discovered that curl requests do not encounter problems even without intermediate certificates. While web browsers automatically fetch intermediate ...GitHub
Callionica
in reply to daniel:// stenberg:// • • •Is 2 months normal for an Apple response to a security incident raised by the maintainer of curl? Or did you have earlier discussions with them? Would hope you’d have a direct hotline.
You say you were aware since Dec 2023. Do you know how long the back door has been there?
daniel:// stenberg://
in reply to Callionica • • •@callionica they are always slow - I have no secret direct channel to them. I can only use their generic product security email. But they did respond faster than two moths, it just took them this long to come to a conclusion about this particular issue.
I don't know how long it has been there. It would not surprise me if it has been there since they started building curl with libressl, several years ago. (can't recall the exact timing for that)
Jaanus Kase
in reply to daniel:// stenberg:// • • •wow. Been using curl and Apple platforms and did not know this. Your blog post is helpful. Thank you.
I think the workaround for intermediate/advanced users is fine. Anyone who does serious software things on macOS is/should be aware of homebrew, and using manually installed alternatives to the system-provided tools.