oss-sec mailing list archives
Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host
From: Stuart Henderson <stu () spacehopper org>
Date: Wed, 2 Nov 2016 11:07:45 +0000
On 2016/11/02 08:13, Daniel Stenberg wrote:
In version 7.51.0, the parser function is fixed. A [patch for CVE-2016-8625](https://curl.haxx.se/CVE-2016-8625.patch) is available.
This switches to using libidn2, which hasn't had a substantial commit in around 5 years (https://gitlab.com/jas/libidn2/commits/master), and currently doesn't even show up in the file listing for the https version of alpha.gnu.org/gnu/libidn/. (Somehow http and https are different; the https version has HSTS headers which you might need to take into account if comparing). Moving something as widely used as curl to this makes me feel a little uneasy (and I'm a bit surprised it wasn't called out specifically in the release notes). Has anyone poked at it much yet?
Current thread:
- [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Stuart Henderson (Nov 02)
- Re: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Hanno Böck (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Robert Scheck (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Hanno Böck (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 02)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host cve-assign (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Daniel Stenberg (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Robert Scheck (Nov 04)
- Re: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Kristian Fiskerstrand (Nov 04)
- Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host Stuart Henderson (Nov 02)