And here's yesterday's AI slop security report in #curl. This might not be immediately obvious to the untrained eye;
Title: Potential Use-After-Free Vulnerability in cf_h2_proxy_ctx_free Function of libcurl Vulnerability Overview: A potential Use-After-Free (UAF) vulnerability has been identified in the...HackerOne
## Summary: The fix for CVE-2024-11053 seems to be incomplete.The information leak problem could be reproduced again if use netrc in step1. ## Affected version all ## Steps To Reproduce: 1....HackerOne
It's been a year since "you too could have made #curl"
daniel.haxx.se/blog/2024/02/06…
https://www.youtube.com/watch?v=kCJmAyUr1j4 This is the video recording of my talk with this title, done at February 4, 2024 10:00 in the K1.105 room at FOSDEM 2024.daniel.haxx.se
Daniel makes the curl 8.12.0 release. Shows how a curl release is done. This is the 264th curl release. Shows the scripts, the procedures and the general pro...YouTube
The #curl 8.12.0 presentation
Daniel describes the three new CVEs, the eight changes and some thirty of the bugfixes done in curl 8.12.0 released on February 5, 2025.YouTube
#curl 8.12.0
daniel.haxx.se/blog/2025/02/05…
Release presentation The live-streamed release video presentation happens on February 5 2025 at 09:00 UTC on twitch.daniel.haxx.se
A maintainer tracked down an AI company that said the spam was a mistake. But reports suggest the problem is more widespread and growing.Loraine Lawson (The New Stack)
Tomorrow at 9:00 CET I release #curl 8.12.0 live-streamed. What could possibly go wrong?
github.com/curl/curl/discussio…
The feature window is closed. The pending 8.12.0 release is scheduled to happen on February 5. If things go well, we open the feature window again on February 15. The curl release cycle is explaine...GitHub
36 hours left to the #curl 8.12.0 release.
At least 243 bugfixes, eight changes, three CVEs. I think you'll like it.
At 09:00 CET Wednesday morning I will live-stream the release procedure.
An hour later I will do a live-streamed release presentation.
Here: twitch.tv/curlhacker
I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.Twitch
Those 2 symbols were available since the first 7.1.1 releaseGitHub
Tried to clean up and extend the documentation on the WebSocket-API a little. There are some other information missing from the docs in my opinion, but since they are not relevant for my use case I...GitHub
I did this Curl fails at make check with Perl 5.41.7 due to: make[2]: Leaving directory '/jenkins/workspace/Port-Build/curl/curl-8.11.1/tests' srcdir=. /jenkins/zopen/usr/local/zopen/perl/perl5-hea...GitHub
🏆 A huge congratulations to @bagder , founder of cURL , for receiving the first European Open Source Achievement Award! 🎉
The award was presented by Omar Mohsine, Open Source Coordinator at the UN, a key advocate for using open technologies !
👏 Daniel will take place in the EOSAcademy as its President! #EOSA2025 #FOSS #cURL
Busy days now. On this Saturday on #FOSDEM I will speak about #curl security work in "tightening every bolt":
fosdem.org/2025/schedule/event…
A 1337 #curl author
daniel.haxx.se/blog/2025/01/29…
For quite some time now, I celebrate and welcome every new commit author in the curl project in the public.daniel.haxx.se
Welcome Michael Schuster as #curl commit author... 1337
github.com/curl/curl/pull/1604…
Yes, number 1337 finally happened.
Problems Build fails when support for session tickets is disabled (thus HAS_SESSION_TICKETS undefined in lib/vtls/mbedtls.c). Runtime error for all TLS connections when built with MBEDTLS_USE_PSA_...GitHub
we're getting into similar territory with a CVE we publish for #curl next week. We've debated it to death internally... 😀
Stay tuned!
RFC 6455 Section 5.2 notes that for bits RSV1, RSV2, and RSV3 of the framing header, a non-zero value that is not defined by a negotiated extension MUST Fail the WebSocket connection. Related to #1...GitHub
asyn-thread was forgetting to copy the actual HTTPS info into the result and asyn-ares had a minor memory leak that only existed in another OOM path.GitHub
make #curl --url support a file with URLs?
curl.se/mail/archive-2025-01/0…
With my new PR, you can write "curl --url @file" and curl will download all the URLs in the provided file as if -O was used for each one of them. It can also get the list from stdin if you do "--url @-" in style with how other curl options work.
This is the first in a new series of monthly emails about what YOU can do to help out in the #curl project:
We have just confirmed that #curl up 2025 will take place in Prague over the weekend May 3-4.
Mark it in your calendars. Plan for it. We have started to add details to the wiki page of this year's event:
Top #curl sponsors as of now. Friends!
(yeps, it is the exact same list of names I have showed for quite some time...)
Twenty-six years ago on this day when we shipped #curl 5.5.1, the changelog was easier to gather than what they usually are today: curl.se/ch/5.5.1.html
Two bugfixes listed.
To play HTTPS RR in #curl's bleeding edge: github.com/curl/curl/blob/mast…
Expect rough edges.
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...GitHub
Do you think this is fair?
"Problems that only trigger using legacy dependencies are not considered security problems."
github.com/curl/curl/pull/1608…
#curl
Uhmmmm... so, make yourself a CVE authority on your stuff [effectively blocking anyone else from publishing anything on your stuff), and do nothing else (i.e. no CVE published).
Of course, it's a bit late for #curl, but you know, other projects?
(and yes, it's naughty. I'm in a naughty mood, yeah?)
CVSS is dead to us
daniel.haxx.se/blog/2025/01/23…
#curl
CVSS is short for Common Vulnerability Scoring System and is according to Wikipedia a technical standard for assessing the severity of vulnerabilities in computing systems.daniel.haxx.se
It is only a year since we switched all #curl man pages to markdown but wow, what an improvement and "life enhancer"!
daniel.haxx.se/blog/2024/01/23…
I trust you have figured out already that I have the highest ambitions for the curl documentation. I want everything documented in a clear, easy-to-read and easy-to-find manner.daniel.haxx.se
