Search

Items tagged with: curl

do you have #curl tatooed on either bicep?
cheers! 💪
#curl

If you have run #curl on an OS not listed here already, let me know. 102 operating systems.
#curl

#curl

Twenty-five years of commit history says >17% of all #curl commits have been done on the weekend.
#curl

#curl

Apparently #CISA has rated #curl #vulnerability #CVE_2024_11053 as #CVSS v3 Base Score 9.1 "critical". This is wrong, and will lead to automation triggering unnecessary warnings and blocking use of perfectly fine systems until an update is installed (which can take months). nvd.nist.gov/vuln/detail/CVE-2…

Edit: In case you wonder my credentials for judging this: I found this vulnerability.

Edit2: This appears to be originating from CISA: cve.org/Media/News/item/blog/2…

Edit3: The score has now been fixed. Commit: github.com/cisagov/vulnrichmen…


data updated · cisagov/vulnrichment@91fadb2

A repo to conduct vulnerability enrichment. Contribute to cisagov/vulnrichment development by creating an account on GitHub.
GitHub
#vulnerability #curl #cvss #cisa #cve_2024_11053

#curl

25 years later, #curl is now at 0 sscanf calls - and we do not allow new ones to get added
#curl

Given that #curl is such a prominent project and you are very present in the media arguing against the quality of LLM generated issue reports, I fear the cohort of misguided "AI" evangelists will make it a sport to "prove you wrong".
#curl

#curl

#curl

About 40% of #curl's vulnerabilities could have been avoided had we not used C.
#curl

As for every #curl release, I will do a live-streamed video presentation about it at 10:00 CET (09:00 UTC) At

twitch.tv/curlhacker


curlhacker - Twitch

I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.
Twitch
#curl

#curl

#curl

#curl 8.11.1 has been released. It includes a fix to #CVE_2024_11053 - a #vulnerability I discovered.

It is a logic flaw in the way curl parses .netrc file. In certain situations, the configured password can be sent to a incorrect host. Luckily the affected configurations should be quite rare and thus the situation is unlikely to occur often.

The issue has existed in the curl source code for almost twenty-five years.

curl.se/docs/CVE-2024-11053.ht…
hackerone.com/reports/2829063

No AI tools were used in discovering or reporting the vulnerability.

#noai #handcrafted #infosec #cybersecurity

curl - netrc and redirect credential leak - CVE-2024-11053

curl.se
#infosec #cybersecurity #vulnerability #curl #noAI #cve_2024_11053 #handcrafted

#curl 8.11.1 is released. About 79 bugfixes, including one CVE addressed.

daniel.haxx.se/blog/2024/12/11…


curl 8.11.1

Welcome to another curl release. This time we do a bugfix only release, five weeks since the previous version shipped. Release Presentation Today at 09:00 UTC I will do a live-streamed video presentation of curl 8.11.1 on Twitch.
daniel.haxx.se
#curl

#curl

#Slop is low-quality media - including writing and images - made using generative artificial intelligence technology.


Quelle: Wikipedia.

Open source projects have to deal with a growing number of low-quality vulnerability reports based on AI. See for example this comment from Daniel Stenberg, maintainer of #Curl:

I'm sorry you feel that way, but you need to realize your own role here. We receive AI slop like this regularly and at volume. You contribute to unnecessary load of curl maintainers and I refuse to take that lightly and I am determined to act swiftly against it. Now and going forward.

You submitted what seems to be an obvious AI slop "report" where you say there is a security problem, probably because an AI tricked you into believing this. You then waste our time by not telling us that an AI did this for you and you then continue the discussion with even more crap responses - seemingly also generated by AI.

Weiterlesen bei HackerOne: Buffer Overflow Risk in Curl_inet_ntop and inet_ntop4.

#opensource #AI #LLM #Spam


curl disclosed on HackerOne: Buffer Overflow Risk in Curl_inet_ntop...

*Curl is a software that I love and is an important tool for the world. * *If my report doesn't align, I apologize for that.* The `Curl_inet_ntop` function is designed to convert IP addresses from...
HackerOne
#opensource #AI #llm #spam #curl #Slop

#curl #hackerone

As a service to security researchers, I added this section to #curl's hackerone page:

AI

If you have used AI in the creation of the vulnerability report, you must disclose this fact in the report and you should do so clearly. We will of course doubt all "facts" and claims in reports where an AI has been involved. You should check and double-check all facts and claims any AI told you before you pass on such reports to us. You are normally much better off avoiding AI.

hackerone.com/curl


curl - Bug Bounty Program | HackerOne

The curl Bug Bounty Program enlists the help of the hacker community at HackerOne to make curl more secure.
HackerOne
#curl

Certainly a more thorough and thoughtful reply than was deserved.

Keep up the excellent work Daniel. Enthusiastic kudos to all the #curl maintainers.

#curl

Marking them as spam now. #curl #hackerone (AI slop as "security vulnerability reports")
#curl #hackerone

#curl

#curl

Here's a graph you never asked for. sscanf() call density in #curl source code over time
#curl

#curl

The current #curl source code (product code) is exactly 1.14 times War And Peace by word count.
#curl

This is the screen in a Chevrolet Tracker LTZ 2024 car (Thanks Diego!)

#curl

#curl

#curl

#curl

On Thursday Dec 5 I will run a webinar and tell you all about Rock-solid #curl long-term support releases.

Sign up here:

us02web.zoom.us/webinar/regist…


Welcome! You are invited to join a webinar: Rock-Solid curl. After registering, you will receive a confirmation email about joining the webinar.

Join wolfSSL for an exclusive live webinar on December 5th at 10 AM PT featuring Daniel Stenberg, founder and lead developer of curl, to explore the launch of Rock-Solid curl, a long-term support version designed for users who prioritize security, st…
Zoom
#curl

Here's the latest #curl hackerone issue I mentioned the other day: hackerone.com/reports/2871792 another one of those "we found a function call so therefore your program must be vulnerable".

Disclosed for educational purposes. Don't do this.


curl disclosed on HackerOne: Buffer Overflow Vulnerability in...

## Summary: The vulnerability in the program arises from a classic buffer overflow, triggered by the unsafe use of the strcpy() function without bounds checking. The program copies data from a...
HackerOne
#curl

#curl

Geeks of Mastodon, C writers and API whisperers, are you bored and without a short project?
I would love for #CURL to be able to list Samba directories. Last year I made a PR allowing for local directories listing and wanted to do the the same for smb, but without success. I think succeeding requires knowledge of Windows APIs.
I can provide some help getting it merged.

This is where I got stuck: github.com/colinleroy/curl/com…
(the magic should happen in smb_send_open_directory)


Skeleton for SMB directory listing · colinleroy/curl@b27c3d8

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS…
GitHub
#curl

#curl

#Windows #curl

#curl

#curl