On Tue, 11 Nov 2014, [email protected] wrote:
Does libcurl have a policy on having code to protect against bugs being exploited in lower-level libraries? For example, this Windows SChannel bug:
I'll just second Ray's comments in that we can't do a whole lot about bugs in other libraries.
We do however make an effort to make libcurl safe and secure. Mostly with code reviews, tests (involving running them with tools like valgrind) and static code analyzers (like clang-analyzer, cppcheck and coverity).
We also have a documented process for handling discovered or suspected security problems in curl or libcurl: http://curl.haxx.se/dev/security.html
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
