We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl securit...
#curl has awarded peeps more than 63,000 USD in bug bounties so far - excluding the upcoming new CVE which alone will get the new curl record bug-bounty of 4,600 USD
This is one reason why #curl gets so much scrutiny.
As web users, what we say and do online is subject to pervasive surveillance. Although we typically associate online tracking with ad networks and other th
ftpserver.pl correctly cleans up spawned server processes, but forgets to wait for the shell used to spawn them. This is barely noticeable during a normal testrun, but causes process exhaustion and...
We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl securit...
The slides = https://www.slideshare.net/DanielStenberg7/mastering-the-curl-command-linepdf0:00 Mastering the curl command line0:16 Daniel Stenberg0:36 curl s...
#curl 8.4.0 will be released out of schedule due to serious #security #vulnerability CVE-2023-38545. This release will also fix another, less critical vulnerability CVE-2023-38546. Tentative release date is planned for 2023-10-11. The curl security process it is described here: curl.se/dev/vuln-disclosure.ht…
The Internet Bug Bounty is a program for core net infrastructure & open source software. We reward hackers who uncover security vulnerabilities. Learn more!
I talk about curl, open source, networking and stuff like that from my view and angle from my home in Stockholm, Sweden.
I'm the lead developer of curl.
I'm occasionally live-streaming curl development on twitch: https://www.twitch.
I ran a docker image to install RUN mkdir github-action-runner && cd github-action-runner && curl -O -L https://github.com/actions/runner/releases/download/v2.305.0/actions-runner-linux-x64-2.305.0...
I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.
Right now, when building curl with a wolfssl build that has TLS 1.2 disabled, the build fails with curl trying to find the TLSv1_2_client_method symbol.
This PR adds a compile-time check to see if ...
I closed the #gemini PR for #curl just now with no action, but I'm encouraging a new one to get filed later on when ready for the next step: github.com/curl/curl/pull/1117…
I did this I started with the websocket-cb example and connected to an echo websocket server for testing. I expected the following I expected the data callback to be called once the connection is e...
if EOF happens, socket is readable, SSLHandshake calls bio_cf_in_read; which interprets nread == 0 as errSSLWouldBlock, which leads to busy loop until timeout occurs or possibly write fails.
I have...
@loke I know we are far from alone - I expect this to happen to virtually everyone. But as I work on #curl and it is a problem for us, I try to educate our audience in how this works.
I very much doubt that any CVSS change can fix this. It's an NVD problem rather than anything else as I see it.
"Alert: if you look up curl CVEs in public sources like NVD you will find they use inflated severity levels and CVSS scores. They think they know better and override our assessments. This is a systemic error that we unfortunately cannot fix. Feel free to complain to them - we keep doing it to no use - and consider using our material as the canonical sources for curl issues. "
This PR is based on the conversation here.
When sending an HTTP/2 POST request, curl will always defer request body to a different TLS record (if SSL/TLS is enabled) and TCP packet. This problem is...
I would find it useful to have a way to cause the --write-out output of the curl tool to be written to a file instead of stdout or stderr which may both be in use for other purposes. One way to ach...
