
Curl 7.51.0 Released - emillon
https://curl.haxx.se/changes.html#7_51_0
======
neic
I see that Ubuntu 16.04 LTS have version 7.47.0 [1]. Its been 9 months, 9
releases and at least 15 CVEs since then. I can also see that some of the CVEs
was reported to distros@openwall [2]. I (naively) assumed that once this was
reported, the package maintainers would update the packages, push a release at
the same time as the original developer made a public statement. Then I could
just update my system and be done with it.

Where is the fault in this chain? How can I as a maintainer of a few servers
be sure my servers are secure without manually patching every package?

[1]
[http://packages.ubuntu.com/xenial/libcurl3](http://packages.ubuntu.com/xenial/libcurl3)
[2] [http://oss-security.openwall.org/wiki/mailing-lists/distros](http://oss-
security.openwall.org/wiki/mailing-lists/distros)

EDIT: changed "12 CVEs" to "at least 15 CVEs". The changelog don't have CVE-
numbers in the title for all of them.

~~~
hannob
It's the concept of LTS distributions to stick with one version and only patch
important bugfixes and security vulnerabilities.

So if the Ubuntu security team does its job properly then you shouldn't have a
reason to worry.

(However given the number of security vulns these days it's often challenging
for LTS distributions to backport all security fixes. There are already
breakdowns of the LTS concept, e.g. sticking with latest upstream versions for
some packages like chromium where backporting is not realistic.)

~~~
anglebracket
Yep, you can see that Ubuntu has been backporting security fixes:
[https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.1](https://launchpad.net/ubuntu/+source/curl/7.47.0-1ubuntu2.1)

------
mitchtbaum
Those looking from a "reimplement it in Rust" angle may like:

* [https://github.com/hyperium/hyper/](https://github.com/hyperium/hyper/)

* [https://github.com/lukaszwawrzyk/rust-wget](https://github.com/lukaszwawrzyk/rust-wget)

* [https://github.com/tokio-rs/tokio-curl](https://github.com/tokio-rs/tokio-curl)

~~~
80x25
tokio-curl uses libcurl internally

~~~
mitchtbaum
Yes. I linked it to show how a web client can run requests in parallel using
Rust's tokio and futures libraries. If anyone makes a similar implementation,
it might go in tokio-hyper/examples ( [https://github.com/tokio-rs/tokio-
hyper/tree/master/examples](https://github.com/tokio-rs/tokio-
hyper/tree/master/examples) ) or near rust-wget to add more of wget and curl's
wrapped functionality.

------
fuhrysteve
Does anyone have an abbreviated explanation of what the security
vulnerabilities that were addressed here? I recall there was a very ominous
post to look out for this release because of some nasty stuff they found.

------
jamies888888
I love cURL. Keep up the good work.

------
du_bing
What is the biggest usage of Curl? I am new to Linux,sorry.

~~~
thejosh
Apart from the oodles of software that depends on curl/libcurl, my favourite
thing is to "Copy as cURL" from a Chrome request.

~~~
dorfsmay
Or Firefox, but yes, first to debug all web bugs!

------
kinow
Change log for this release

Fixed in 7.51.0 - November 2 2016

Changes:

    
    
        nss: additional cipher suites are now accepted by CURLOPT_SSL_CIPHER_LIST
        New option: CURLOPT_KEEP_SENDING_ON_ERROR 
    

Bugfixes:

    
    
        CVE-2016-8615: cookie injection for other servers
        CVE-2016-8616: case insensitive password comparison
        CVE-2016-8617: OOB write via unchecked multiplication
        CVE-2016-8618: double-free in curl_maprintf
        CVE-2016-8619: double-free in krb5 code
        CVE-2016-8620: glob parser write/read out of bounds
        CVE-2016-8621: curl_getdate read out of bounds
        CVE-2016-8622: URL unescape heap overflow via integer truncation
        CVE-2016-8623: Use-after-free via shared cookies
        CVE-2016-8624: invalid URL parsing with '#'
        CVE-2016-8625: IDNA 2003 makes curl use wrong host
        openssl: fix per-thread memory leak using 1.0.1 or 1.0.2
        http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
        LICENSE-MIXING.md: update with mbedTLS dual licensing
        examples/imap-append: Set size of data to be uploaded
        test2048: fix url
        darwinssl: disable RC4 cipher-suite support
        CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting
        openssl: don’t call CRYTPO_cleanup_all_ex_data
        libressl: fix version output
        easy: Reset all statistical session info in curl_easy_reset
        curl_global_cleanup.3: don't unload the lib with sub threads running
        dist: add CurlSymbolHiding.cmake to the tarball
        docs: Remove that --proto is just used for initial retrieval
        configure: Fixed builds with libssh2 in a custom location
        curl.1: --trace supports % for sending to stderr!
        cookies: same domain handling changed to match browser behavior
        formpost: trying to attach a directory no longer crashes
        CURLOPT_DEBUGFUNCTION.3: fixed unused argument warning
        formpost: avoid silent snprintf() truncation
        ftp: fix Curl_ftpsendf
        mprintf: return error on too many arguments
        smb: properly check incoming packet boundaries
        GIT-INFO: remove the Mac 10.1-specific details
        resolve: add error message when resolving using SIGALRM
        cmake: add nghttp2 support
        dist: remove PDF and HTML converted docs from the releases
        configure: disable poll() in macOS builds
        vtls: only re-use session-ids using the same scheme
        pipelining: skip to-be-closed connections when pipelining
        win: fix Universal Windows Platform build
        curl: do not set CURLOPT_SSLENGINE to DEFAULT automatically
        maketgz: make it support "only" generating version info
        Curl_socket_check: add extra check to avoid integer overflow
        gopher: properly return error for poll failures
        curl: set INTERLEAVEDATA too
        polarssl: clear thread array at init
        polarssl: fix unaligned SSL session-id lock
        polarssl: reduce #ifdef madness with a macro
        curl_multi_add_handle: set timeouts in closure handles
        configure: set min version flags for builds on mac
        INSTALL: converted to markdown => INSTALL.md
        curl_multi_remove_handle: fix a double-free
        multi: fix inifinte loop in curl_multi_cleanup()
        nss: fix tight loop in non-blocking TLS handhsake over proxy
        mk-ca-bundle: Change URL retrieval to HTTPS-only by default
        mbedtls: stop using deprecated include file
        docs: fix req->data in multi-uv example
        configure: Fix test syntax for monotonic clock_gettime
        CURLMOPT_MAX_PIPELINE_LENGTH.3: Clarify it's not for HTTP/2

~~~
teh_klev
Why repeat this here in an inferior format?

~~~
LeonM
I think this format is superior for mobile users, it gives them only the
relevant information in just a few kB of data.

In this case, haxx.se is not that bad, but many news sites present so much
ads, overlays, non-responsive UI, dark UI etc etc that most mobile browsers
crash, and loading takes forever due to 10+mb of ads on a 3G connection just
to display 20 lines of information.

~~~
teh_klev
I read this first on my android phone and can assure you that your copy paste
is inferior, especially so due to the use of a fixed width font causing line
truncation.

Also this kinda thing is about as popular here as "tldr" posts which are
quickly suppressed.

My friendly advice is to not make a habit of this

