On 06/11/2021 01:03, Patrick Monnerat via curl-library wrote:
Your version is more than 8 years old ! :-( You better upgrade, as a lot
of other more serious security problems have been fixed since then.
Due to the lag in getting updates into the OS distro all it takes is a
system built 4 years ago. Centos 7 still tops out at 7.29 even when
fully updated.
Not worried about *that* box it was just the one to hand but even quite
new systems have default versions that don't support --oauth2-bearer for
HTTP only for IMAP etc.
Please note also that argument obfuscation does not reduce the leakage
risk to 0: there's still a tiny time between the program start and the
info erasure, and it even does not work for some OSes.
I'm aware.
I think I'm going to use a scratch config file to pass the argument
anyway (as that works with the distro curl version)
of course I need to be quite careful how to construct that file.
Stephen
--
======================================================================
|epcc| Dr Stephen P Booth Principal Architect |epcc|
|epcc| [email protected] Phone 0131 650 5746 |epcc|
======================================================================
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
--
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
