Summing up #curl's 2024 in a single image could possibly look like this.

28 years into this never-ending journey, development activity is higher than ever before.

Enjoy this #curl summary of the past year. From twelve years ago:

daniel.haxx.se/blog/2012/12/23…

The curl year 2012

So what did happen in the curl project during 2012? First some basic stats We shipped 6 releases with 199 identified bug fixes and some 40 other changes.

^{daniel.haxx.se}

I'm a little amused that there are so may people trying to find faults or poke "a hole" in this graph. You're taking this too seriously. It's not the end of the world if some commits are assigned the wrong time zone.

The fact is that many top contributors to #curl, myself included, are based in Europe. That's the simple explanation for why the graph looks like this.

Top #CWE reasons used in #curl #CVE reports. In the 161 CVEs we have published over 25+ years so far, we have used 59 different CWEs.

The graph shows all CWEs that have been used more than once.

Time to stop using codeql in the #curl project perhaps?

github.com/curl/curl/pull/1579…

GHA: drop codeql by bagder · Pull Request #15798 · curl/curl

We started using codeql for static code analysis in 7183f5a, June 2020. Since then, not a single commit has been merged into the source code repository citing codeql as source or reason. Yet, it ke...

^GitHub

daniel.haxx.se/blog/2024/12/21…

#curl #hyper #rust

dropping hyper

The ride is coming to an end. The experiment is done. We tried, but we admit defeat. Four years ago we started adding support for an alternative HTTP backend in curl. It would use a library written in rust, called hyper.

^{daniel.haxx.se}

The #curl feature window opened today and will remain open for three weeks. This rather huge change just landed:

github.com/curl/curl/pull/1512…

hyper: drop support by bagder · Pull Request #15120 · curl/curl

lib : remove all code configure: stop detecting hyper docs: no more mention of hyper tests: mo more special-handling of hyper builds CI: no jobs using hyper To be merged after the 8.11.1 release in...

^GitHub

Two years ago we spotted #curl in the TV series Tschugger:

daniel.haxx.se/blog/2022/12/19…

curl sighting: Tschugger

In the Swiss crime comedy TV series Tschugger, season two episode two at roughly 25:20, there is a shot with a curl command line in a terminal window using an unnecessary --request option.

^{daniel.haxx.se}

We're discussing documenting our (#curl's) stance on CVSS like this:

github.com/curl/curl/pull/1577…

VULN-DISCLOSURE-POLICY.md: mention the not setting CVSS by bagder · Pull Request #15779 · curl/curl

^GitHub

I just love how someone dives down through history and thinks they found a mistake in which commit that introduced the #curl CVE-2017-7407 ....

curl.se/mail/lib-2024-12/0024.…

Come May 2025, #curl will drop support for Secure Transport.

If you develop something for apple devices and use libcurl, you might want to think about what this means. And maybe do something too.

github.com/curl/curl/discussio…

Apple iOS Secure-Transport deprecated, is there plan to port to use Network.framework · curl curl · Discussion #15759

Apple has deprecated Secure-Transport capabilities since iOS 13.0 (which is several years by now) with a recommendation of porting to. use Network.framework instead. Therefore building libCURL with...

^GitHub

Five years ago I improved #curl testing by randomly skipping some tests! This concept is still in use today.

daniel.haxx.se/blog/2019/12/16…

How randomly skipping tests made them better!

In the curl project we produce and ship a rock solid and reliable library for the masses, we must never exit, leak memory or do anything in an ungraceful manner.

^{daniel.haxx.se}

FYI: CVE-2024-11053 is *not* a critical security flaw, even if now several security related sites repeat that statement.

This is as good as any reminder that you should read the #curl advisories for #curl issues rather than trusting the scaremongers.

curl.se/docs/CVE-2024-11053.ht…

(edit: I wrote an extra '1' in there at first)

Apparently #CISA has rated #curl #vulnerability #CVE_2024_11053 as #CVSS v3 Base Score 9.1 "critical". This is wrong, and will lead to automation triggering unnecessary warnings and blocking use of perfectly fine systems until an update is installed (which can take months). nvd.nist.gov/vuln/detail/CVE-2…

Edit: In case you wonder my credentials for judging this: I found this vulnerability.

Edit2: This appears to be originating from CISA: cve.org/Media/News/item/blog/2…

Edit3: The score has now been fixed. Commit: github.com/cisagov/vulnrichmen…

data updated · cisagov/vulnrichment@91fadb2

A repo to conduct vulnerability enrichment. Contribute to cisagov/vulnrichment development by creating an account on GitHub.

^GitHub

"let me use an AI and file another bug against #curl

github.com/curl/curl/issues/15…

Severe Remote Code Execution Vulnerability in `varexpand` Function Due to Insecure Input Handling and Memory Operations · Issue #15736 · curl/curl

I did this A critical remote code execution vulnerability exists in the varexpand function due to a combination of insecure input handling, unsafe memory operations, and improper execution of user-...

^GitHub

A twenty-five years old #curl bug

daniel.haxx.se/blog/2024/12/12…

A twenty-five years old curl bug

I have talked about old curl bugs before, but now we have a new curl record. When we announced the security flaw CVE-2024-11053 on December 11, 2024 together with the release of curl 8.11.

^{daniel.haxx.se}

As for every #curl release, I will do a live-streamed video presentation about it at 10:00 CET (09:00 UTC) At

twitch.tv/curlhacker

curlhacker - Twitch

I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.

^Twitch

The new #curl CVE-2024-11053 we call "netrc and redirect credential leak"

While graded severity low, it will of course still be relevant to whomever uses the unlucky combination of options.

curl.se/docs/CVE-2024-11053.ht…

#curl 8.11.1 has been released. It includes a fix to #CVE_2024_11053 - a #vulnerability I discovered.

It is a logic flaw in the way curl parses .netrc file. In certain situations, the configured password can be sent to a incorrect host. Luckily the affected configurations should be quite rare and thus the situation is unlikely to occur often.

The issue has existed in the curl source code for almost twenty-five years.

• curl.se/docs/CVE-2024-11053.ht…
• hackerone.com/reports/2829063

No AI tools were used in discovering or reporting the vulnerability.

#noai #handcrafted #infosec #cybersecurity

#curl 8.11.1 is released. About 79 bugfixes, including one CVE addressed.

daniel.haxx.se/blog/2024/12/11…

curl 8.11.1

Welcome to another curl release. This time we do a bugfix only release, five weeks since the previous version shipped. Release Presentation Today at 09:00 UTC I will do a live-streamed video presentation of curl 8.11.1 on Twitch.

^{daniel.haxx.se}

Two years ago we spotted #curl in the movie Silk Road:

daniel.haxx.se/blog/2022/12/10…

curl sighting: Silk Road

In the 2021 movie Silk Road, at around 19:23-19:26 into the film we can see Ross Ulbricht, the lead character, write a program on his laptop that uses curl.

^{daniel.haxx.se}

#Slop is low-quality media - including writing and images - made using generative artificial intelligence technology.

Quelle: Wikipedia.

Open source projects have to deal with a growing number of low-quality vulnerability reports based on AI. See for example this comment from Daniel Stenberg, maintainer of #Curl:

I'm sorry you feel that way, but you need to realize your own role here. We receive AI slop like this regularly and at volume. You contribute to unnecessary load of curl maintainers and I refuse to take that lightly and I am determined to act swiftly against it. Now and going forward.

You submitted what seems to be an obvious AI slop "report" where you say there is a security problem, probably because an AI tricked you into believing this. You then waste our time by not telling us that an AI did this for you and you then continue the discussion with even more crap responses - seemingly also generated by AI.

Weiterlesen bei HackerOne: Buffer Overflow Risk in Curl_inet_ntop and inet_ntop4.

#opensource #AI #LLM #Spam

curl disclosed on HackerOne: Buffer Overflow Risk in Curl_inet_ntop...

*Curl is a software that I love and is an important tool for the world. * *If my report doesn't align, I apologize for that.* The `Curl_inet_ntop` function is designed to convert IP addresses from...

^HackerOne

As a service to security researchers, I added this section to #curl's hackerone page:

AI

If you have used AI in the creation of the vulnerability report, you must disclose this fact in the report and you should do so clearly. We will of course doubt all "facts" and claims in reports where an AI has been involved. You should check and double-check all facts and claims any AI told you before you pass on such reports to us. You are normally much better off avoiding AI.

hackerone.com/curl

curl - Bug Bounty Program | HackerOne

The curl Bug Bounty Program enlists the help of the hacker community at HackerOne to make curl more secure.

^HackerOne

Certainly a more thorough and thoughtful reply than was deserved.

Keep up the excellent work Daniel. Enthusiastic kudos to all the #curl maintainers.

Rock-solid #curl with Daniel Stenberg

youtu.be/DvicV2MYKW4?si=9G1ilk…

Rock-solid curl with Daniel Stenberg

The ideas behind these new long-term support curl release branches. How they work, why we do them, how the different from the normal curl releases and so on.

^YouTube

Help us work out how to save TLS sessions with #curl

github.com/curl/curl/discussio…

TLS session storage, memory + permanent · curl curl · Discussion #15684

Thinking about storing TLS sessions more permanently, e.g. in a file. This would make these available the next time you start curl. Reusing them is beneficial for performance, especially now that w...

^GitHub