mirror of
https://github.com/moparisthebest/curl
synced 2024-12-22 16:18:48 -05:00
c0e8bed5bf
(http://curl.haxx.se/bug/view.cgi?id=2829955) mentioning the recent SSL cert verification flaw found and exploited by Moxie Marlinspike. The presentation he did at Black Hat is available here: https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike Apparently at least one CA allowed a subjectAltName or CN that contain a zero byte, and thus clients that assumed they would never have zero bytes were exploited to OK a certificate that didn't actually match the site. Like if the name in the cert was "example.com\0theatualsite.com", libcurl would happily verify that cert for example.com. libcurl now better use the length of the extracted name, not assuming it is zero terminated. |
||
---|---|---|
ares | ||
CMake | ||
docs | ||
include | ||
lib | ||
m4 | ||
packages | ||
perl | ||
src | ||
tests | ||
.cvsignore | ||
acinclude.m4 | ||
Android.mk | ||
buildconf | ||
buildconf.bat | ||
CHANGES | ||
CHANGES.0 | ||
CMakeLists.txt | ||
configure.ac | ||
COPYING | ||
CTestConfig.cmake | ||
curl-config.in | ||
curl-style.el | ||
CVS-INFO | ||
diff-exclude | ||
install-sh | ||
libcurl.pc.in | ||
MacOSX-Framework | ||
Makefile.am | ||
Makefile.dist | ||
maketgz | ||
missing | ||
mkinstalldirs | ||
README | ||
RELEASE-NOTES | ||
sample.emacs | ||
TODO-RELEASE | ||
vc6curl.dsw |
_ _ ____ _ ___| | | | _ \| | / __| | | | |_) | | | (__| |_| | _ <| |___ \___|\___/|_| \_\_____| README Curl is a command line tool for transferring data specified with URL syntax. Find out how to use curl by reading the curl.1 man page or the MANUAL document. Find out how to install Curl by reading the INSTALL document. libcurl is the library curl is using to do its job. It is readily available to be used by your software. Read the libcurl.3 man page to learn how! You find answers to the most frequent questions we get in the FAQ document. Study the COPYING file for distribution terms and similar. If you distribute curl binaries or other binaries that involve libcurl, you might enjoy the LICENSE-MIXING document. CONTACT If you have problems, questions, ideas or suggestions, please contact us by posting to a suitable mailing list. See http://curl.haxx.se/mail/ All contributors to the project are listed in the THANKS document. WEB SITE Visit the curl web site for the latest news and downloads: http://curl.haxx.se/ CVS To download the very latest source off the CVS server do this: cvs -d :pserver:anonymous@cool.haxx.se:/cvsroot/curl login (just press enter when asked for password) cvs -d :pserver:anonymous@cool.haxx.se:/cvsroot/curl co curl (you'll get a directory named curl created, filled with the source code) NOTICE Curl contains pieces of source code that is Copyright (c) 1998, 1999 Kungliga Tekniska Högskolan. This notice is included here to comply with the distribution terms.