Hey all,
(cross-posted to both curl-users and curl-library to reach widely, please send
responses to the proper single list.)
Nobody missed Heartbleed[1] this past week I'm sure. If you did, you must've
been on an awesomely disconnected vacation.
Anyway, I've gotten numerous questions about curl in this context so I wanted
to spell out the details once and for all.
Heartbleed is a flaw in OpenSSL in a certain version span. Clients are *also*
vulnerable to this flaw, which means that if you run curl or libcurl with a
vulnerable OpenSSL version a rogue server can read client memory.
Again, this is an OpenSSL flaw but since OpenSSL is a library, applications
that use it will be affected. If you use libcurl using OpenSSL then you are
affected too.
This is not a flaw in curl nor libcurl, we will not and cannot release
anything to adress this problem.
Things to do to avoid being affected include:
- run a fixed OpenSSL version, or an older version from before the flaw was
introduced
- build libcurl against the numerous other fine TLS libraries that we support
[1] = http://heartbleed.com/
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
