This is nasty but fortunately it only affects fairly recent versions of curl, sp... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		agwa on Feb 8, 2013 \| parent \| context \| favorite \| on: Libcurl remote code execution This is nasty but fortunately it only affects fairly recent versions of curl, specifically curl 7.26.0 up to and including 7.28.1. That means Debian Stable and Ubuntu 12.04 aren't affected. As a general rule, if you use libcurl in an application and follow redirects you should probably restrict CURLOPT_REDIR_PROTOCOLS to just HTTP and HTTPS (and maybe FTP). Otherwise a nefarious site could redirect curl to, for example, a IMAP, POP, or SMTP URL, which is potentially undesirable even without this vulnerability. If you're just using curl to talk HTTP(S) you really don't need any of these other protocols.

ars on Feb 8, 2013 | [–]

Why does curl even allow that?

taf2 on Feb 8, 2013 | [–]

wow, thanks for the heads up about version numbers - I was about to stay up late patching... with this information patching can wait til morning.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact