Date: Wed, 7 Sep 2016 14:30:22 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: libcurl vulnerability Message-ID: <b8594429-77e2-3758-ba52-8b0fcd6392a9@FreeBSD.org> In-Reply-To: <DM3PR20MB0843BC5CC1D191F0D4F3A04480F80@DM3PR20MB0843.namprd20.prod.outlook.com> References: <DM3PR20MB0843BC5CC1D191F0D4F3A04480F80@DM3PR20MB0843.namprd20.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --u1vQNRx5UH9qSAXbV8cTqMl0CxdEN6dT0 Content-Type: multipart/mixed; boundary="JThi9WH1jMgpNA6hk7wMVr76j8lCUUohT"; protected-headers="v1" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Message-ID: <b8594429-77e2-3758-ba52-8b0fcd6392a9@FreeBSD.org> Subject: Re: libcurl vulnerability References: <DM3PR20MB0843BC5CC1D191F0D4F3A04480F80@DM3PR20MB0843.namprd20.prod.outlook.com> In-Reply-To: <DM3PR20MB0843BC5CC1D191F0D4F3A04480F80@DM3PR20MB0843.namprd20.prod.outlook.com> --JThi9WH1jMgpNA6hk7wMVr76j8lCUUohT Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016/09/07 13:47, Gerard Seibert wrote: > Does this vulnerability affect FreeBSD? The ftp/curl port will be built against the base system copy of openssl by default, in which case this vulnerability won't affect it. You can configure the port to link against libnss3.so in which case curl presumably would be vulnerable. The latest VuXML entry for curl https://vuxml.freebsd.org/freebsd/e4bc70fc-5a2f-11e6-a1bc-589cfc0654e1.ht= ml only mentions CVE-2016-5420, and there doesn't appear to be anything relevant listed against nss. Plus the version of curl in the ports at the moment predates the fix in version 7.50.2. I'd assume curl is vulnerable if it is built with the NSS option turned on and if the nss port is installed. Please do raise a PR to report this to the maintainer of the curl port. Cheers, Matthew --JThi9WH1jMgpNA6hk7wMVr76j8lCUUohT-- --u1vQNRx5UH9qSAXbV8cTqMl0CxdEN6dT0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJX0BZ0XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnbtgP/1+DQOyXbeYoubaCFlDSUrdA uBI3L+B2hh2jjUmzYtWWWhqXWGFYDBKxoZUMhdT57iwu0L8EVyz+ELn5IhuGL3G5 afrmsP4HbJh4Lx8fRNB9dxuBJzO/VhwiERgNww6s2iTY6sHSseWkRU6U44ggo3zI JHr5hNnaD8hFKpw74HkWl8xY0zY1AqSd0em9OkhYvTdXtcsGAtoSY3vT0JCReU9p S/e82cC2yZeJitwGIfulzNZUUT4ReXpEgZXk6Hd9xY/6qEau12AbRKIh/fqJGh9z 9fMUa9m+8UVwjGTE/JzfKRYIIyKl1h/W9CddW0YxU3T+pOHXG4q6soX+z6tIp4FV 96xfHd43J6HiM5NE6wmJ1ASa85tKoOn8rx+pPNTHg+ATiCI+8Rn0Zu3+FTWCWMq9 miDo3OI+AuJbIrWWtFfOZbomAVFNtgL9SVtDqXp197TbjVGyliWRLVWEPKp6isNU BUJv6W27wqgadBwPWc7XBbJr6aVm5qTiePus78mMN0GM+NKpcJ2YaSiNvgxuv7kw 8biXHWvcow//p9Sy+5xFAoSCnvVdKOmHZnUh77I5+dEZfbaDGx3PXYpHtbG0EqvN G8BKY4Ae/ADTw+DRk1+Z73xcBMtpNytwZL7su/mXrA8FaVbsxzHnjCqt5BJv6IBq NhK75g0h1LwCk1hptQLb =OGP7 -----END PGP SIGNATURE----- --u1vQNRx5UH9qSAXbV8cTqMl0CxdEN6dT0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b8594429-77e2-3758-ba52-8b0fcd6392a9>