On Wed, 17 Oct 2018, Jörg Schmitz-Linneweber via curl-library wrote:
I'm just wondering how or better _if_ the above mentioned flaw in libssh (or
libssh2) affects curl.
In my opinion it should not have any impact since curl needs libssh "only"
for (transfer) protocols SCP and SFTP and the flaw in libssh affects
(mostly) the server side.
Of course I'll have a look in the sources. But perhaps someone has already
done this? :-)
curl and libcurl are NOT affected by the above mentioned flaw.
The CVE-2018-10933 security vulnerability [1] affects libssh when run
server-side, which neither curl or libcurl ever do. They simply don't offer
that functionality.
The issue is a libssh-only vulnerability and doesn't affect libssh2 at all.
It can be noted that there aren't that terribly many servers out there in the
wild actually based on libssh. shodan [2] lists 6,353 of them. Still of course
if YOU run such a server, an upgrade is in place NOW.
[1] = https://www.libssh.org/security/advisories/CVE-2018-10933.txt
[2] = https://www.shodan.io/search?query=libssh
--
/ daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
