Search

Items tagged with: curl

#curl

I don't send many emails anymore. I receive emails but I don't send many. Even at work, most of our communication is done via other means. But I do generate at least one email a day to send to a group of external testers. I don't send this from a traditional mail client. Instead it is a shell script that gathers some information and opens a text editor to add further comments. After that the file is sent with #cURL, via smtp. That means that curl is my main mail client (at least for sending). 🤔
#curl

#curl

#curl

We seem to have data that confirms that the #curl bug-bounty has received a steep increased submission rate through 2025, while several other Open Source programs also hosted on Hackerone have not. (There's a graph coming in my pending blog post.)

What could possibly be the reason for us taking more heat and more junk than others? Why oh why?

#curl

With the four new ones from my blog post yesterday, we are at 98 graphs on the #curl dashboard.

I think I might go wild and celebrate reaching the mythical 100 graphs with a blog post if we get there.

One plot shows number of graphs growing up to 98 and the other shows number of plots growing up to 270
#curl

#curl

I use #curl _a lot_ when probing exploitable stuff.

I should donate to curl.

*30 seconds later*

I have now donated to curl.

#curl

I re-implemented the rate limiting in #curl, coming in the next release. A description.

eissing.org/icing/posts/curl-r…

curl rate limits

The curl project merged #19384, #20033 and #20228 which re-implements rate limiting of transfers in libcurl. This will be part of the upcoming 8.19.0 release at the beginning of March 2026.
icing's blog
#curl

Today I received *two* seemingly independent offers to start a "web3" funding initiative for #curl.

That feels like two too many. No thanks. Take your scam offers to someone else.

#curl

#curl

#curl

#curl

Thanks for Your Contribution to the #curl Project 💚
3571 named persons who have provided code, feedback, advice etc that have improved curl
#curl

#curl

#curl

#curl

#curl

#curl

If you need the latest #curl with support for #OpenSSL v1.x I have a version for you a support contract away.
#OpenSSL #curl

#curl

»curl — Projekt beendet Bug-Bounty-Programm:
curl-Maintainer @bagder hat das Ende des Bug-Bounty-Programms angekündigt. Unbrauchbare KI-Meldungen nahmen wohl überhand.«

Ach was, die KI ist künstlich aber nicht intelligent oder was nun?!?? Ich bin sogar der Meinung, dass dies was die KI angeht noch das rel. kleinste "Problem" ist. Schade dass deswegen das curl Bug-Bounty aufgelöst wird.

🧑‍💻 heise.de/news/curl-Projekt-bee…

#curl #ki #bugbounty #unbrauchbar #ai #uberhang #ausserkontrolle #it #ittools


curl: Projekt beendet Bug-Bounty-Programm

curl-Maintainer Daniel Stenberg hat das Ende des Bug-Bounty-Programms angekündigt. Unbrauchbare KI-Meldungen nahmen wohl überhand.
Dirk Knop (heise online)
#IT #AI #ki #curl #bugbounty #unbrauchbar #uberhang #ausserkontrolle #ittools @daniel:// stenberg://

"This is a vulnerability"
"No, it isn't"
"Yes, it is"
"Prove it!"
"Ok, it may not be now...
...but it is a trap for future developers!"

Security reporting for the utterly deranged.
#curl

#curl

Meanwhile, we have now added 4 lines of code for every line of code still remaining in #curl

This means that on average, every single line of production code has been touched four times. Written once, then updated three more times. And yeah, some lines of course many more times than average, and some less so.

Graph showing lines of code added per lines of code still present. In curl. Over time. Reaching above 4 in early 2026.
#curl

added a median plot to the average #curl source code complexity graph
#curl

It's about sustainability too. #curl is a small project. We cannot spend multiple hours every day arguing with people who want money for having found what is perhaps a bug - but often is not even that.

It drains us. It drowns us.

Onward and upward!

#curl

Shld I submit a #hackerone submission for #curl, identifying hackerone as a DoS attack vector for the project, recommending depreciation?
#curl #hackerone

We are at *twenty* hackerone submissions for #curl so far this year. Zero of them a confirmed vulnerability.
#curl

It is our moral imperative to consider the "real world" and actual users when assessing the possible security impact of a reported #curl issue. If we deem that there is likely to be zero affected users, then we do more damage than good by insisting on doing the security dance for the issue.

Then we end up with a severity level that is below LOW, and then we treat it as a bug instead. For the good of mankind.

#curl

To be frank: the report quality on Hackerone is so low by now that the #curl team decided to make CVEs based only on the coolness of the reporter‘s username.

💁🏻‍♂️😌

#curl

On the morning of the 13th day of the year we have received *checks notes* 13 #curl vulnerability reports on Hackerone this year.

None a confirmed vulnerability.

#curl

Working on #curl‘s rate limiting again today. It‘s a fun challenge to get this „right“.

Just a few users of this feature, though. Like Steam, Roku and Netflix. That I know of, at least.

Do you use rate limiting transfers? Do you know anyone besides #curl offering this?

#curl

The latest #curl update will now properly report long transfer times when sending data to Mars.
#curl

Augment (which gave the #curl project free access) is changing pricing (again) in what seems to be a 10x increase.

Augment pricing changes from ‚messages‘ (number of answer which you control) to ‚credit‘ (which is effort controlled by Augment).

And this is probably still not enough to cover their real costs, not even speaking of profit.

Wherever you stand on the LLM debate, don‘t become dependant on those companies. Their business model sucks.

theregister.com/2025/10/15/aug…


AI startup Augment scraps 'unsustainable' pricing, users say new model is 10x worse

: Second huge increase in six months sees some devs heading for the exit
Tim Anderson (The Register)
#curl

#curl

In this latest #curl release, we are now three persons having our names on >10,000 lines of product code when doing git blame. @icing, @vsz and myself.

10 separate people have their names on 1000+ lines.

A graph showing how many people have curl source code lines attributed to them in git blame - over time.
#curl @Stefan Eissing @vsz

#curl

#curl

#curl 8.18.0 has been released. This release fixes 2 medium and 4 low level vulnerabilities:
- CVE-2025-13034: No QUIC certificate pinning with GnuTLS curl.se/docs/CVE-2025-13034.ht…
- CVE-2025-14017: broken TLS options for threaded LDAPS curl.se/docs/CVE-2025-14017.ht…
- CVE-2025-14524: bearer token leak on cross-protocol redirect curl.se/docs/CVE-2025-14524.ht…
- CVE-2025-14819: OpenSSL partial chain store policy bypass curl.se/docs/CVE-2025-14819.ht…
- CVE-2025-15079: libssh global knownhost override curl.se/docs/CVE-2025-15079.ht…
- CVE-2025-15224: libssh key passphrase bypass without agent set curl.se/docs/CVE-2025-15224.ht…

I discovered the last 2 vulnerabilities.

Download curl 8.18.0 from curl.se/download.html

#vulnerabilityresearch #vulnerability #cybersecurity #infosec

curl - No QUIC certificate pinning with GnuTLS - CVE-2025-13034

curl.se
#infosec #cybersecurity #vulnerability #curl #vulnerabilityresearch