Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 7 Sep 2016 14:30:22 +0100
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: libcurl vulnerability
Message-ID:  <b8594429-77e2-3758-ba52-8b0fcd6392a9@FreeBSD.org>
In-Reply-To: <DM3PR20MB0843BC5CC1D191F0D4F3A04480F80@DM3PR20MB0843.namprd20.prod.outlook.com>
References:  <DM3PR20MB0843BC5CC1D191F0D4F3A04480F80@DM3PR20MB0843.namprd20.prod.outlook.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--u1vQNRx5UH9qSAXbV8cTqMl0CxdEN6dT0
Content-Type: multipart/mixed; boundary="JThi9WH1jMgpNA6hk7wMVr76j8lCUUohT";
 protected-headers="v1"
From: Matthew Seaman <matthew@FreeBSD.org>
To: freebsd-questions@freebsd.org
Message-ID: <b8594429-77e2-3758-ba52-8b0fcd6392a9@FreeBSD.org>
Subject: Re: libcurl vulnerability
References: <DM3PR20MB0843BC5CC1D191F0D4F3A04480F80@DM3PR20MB0843.namprd20.prod.outlook.com>
In-Reply-To: <DM3PR20MB0843BC5CC1D191F0D4F3A04480F80@DM3PR20MB0843.namprd20.prod.outlook.com>

--JThi9WH1jMgpNA6hk7wMVr76j8lCUUohT
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2016/09/07 13:47, Gerard Seibert wrote:
> Does this vulnerability affect FreeBSD?

The ftp/curl port will be built against the base system copy of openssl
by default, in which case this vulnerability won't affect it.

You can configure the port to link against libnss3.so in which case curl
presumably would be vulnerable.  The latest VuXML entry for curl

https://vuxml.freebsd.org/freebsd/e4bc70fc-5a2f-11e6-a1bc-589cfc0654e1.ht=
ml

only mentions CVE-2016-5420, and there doesn't appear to be anything
relevant listed against nss. Plus the version of curl in the ports at
the moment predates the fix in version 7.50.2.  I'd assume curl is
vulnerable if it is built with the NSS option turned on and if the nss
port is installed.

Please do raise a PR to report this to the maintainer of the curl port.

	Cheers,

	Matthew




--JThi9WH1jMgpNA6hk7wMVr76j8lCUUohT--

--u1vQNRx5UH9qSAXbV8cTqMl0CxdEN6dT0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQJ8BAEBCgBmBQJX0BZ0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw
MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnbtgP/1+DQOyXbeYoubaCFlDSUrdA
uBI3L+B2hh2jjUmzYtWWWhqXWGFYDBKxoZUMhdT57iwu0L8EVyz+ELn5IhuGL3G5
afrmsP4HbJh4Lx8fRNB9dxuBJzO/VhwiERgNww6s2iTY6sHSseWkRU6U44ggo3zI
JHr5hNnaD8hFKpw74HkWl8xY0zY1AqSd0em9OkhYvTdXtcsGAtoSY3vT0JCReU9p
S/e82cC2yZeJitwGIfulzNZUUT4ReXpEgZXk6Hd9xY/6qEau12AbRKIh/fqJGh9z
9fMUa9m+8UVwjGTE/JzfKRYIIyKl1h/W9CddW0YxU3T+pOHXG4q6soX+z6tIp4FV
96xfHd43J6HiM5NE6wmJ1ASa85tKoOn8rx+pPNTHg+ATiCI+8Rn0Zu3+FTWCWMq9
miDo3OI+AuJbIrWWtFfOZbomAVFNtgL9SVtDqXp197TbjVGyliWRLVWEPKp6isNU
BUJv6W27wqgadBwPWc7XBbJr6aVm5qTiePus78mMN0GM+NKpcJ2YaSiNvgxuv7kw
8biXHWvcow//p9Sy+5xFAoSCnvVdKOmHZnUh77I5+dEZfbaDGx3PXYpHtbG0EqvN
G8BKY4Ae/ADTw+DRk1+Z73xcBMtpNytwZL7su/mXrA8FaVbsxzHnjCqt5BJv6IBq
NhK75g0h1LwCk1hptQLb
=OGP7
-----END PGP SIGNATURE-----

--u1vQNRx5UH9qSAXbV8cTqMl0CxdEN6dT0--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?b8594429-77e2-3758-ba52-8b0fcd6392a9>