Hi I have looked into CVE-2016-9586 affecting curl. What I'm trying to figure out is whether it is worth the effort to fix it or not.
More info here: https://curl.haxx.se/docs/adv_20161221A.html 1) There are no known exploits -> minor issue (?) 2) The functions have been documented as deprecated for a long time 3) The problem only occur on applications without proper input sanitizing (and using curl_mprintf) so one could even argue that this is not really a fault in curl at all. Due to this I could argue that it would mean a no-dsa tag. However the patch is quite simple so maybe it would be worth fixing anyway. Also it is for a library and we do not really know how libraries are used. So what do you think? Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
