The 2022 curl security audit
tldr: several hundred hours of dedicated scrutinizing of curl by a team of security experts resulted in two CVEs and a set of less serious remarks. The link to the reports is at the bottom of this...
View ArticleNVD makes up vulnerability severity levels
When a security vulnerability has been found and confirmed in curl, we request a CVE Id for the issue. This is a global unique identifier for this specific problem. We request the ID from our CVE...
View Articledeleting system32\curl.exe
Let me tell you a story about how Windows users are deleting files from their installation and as a consequence end up in tears. Background The real and actual curl tool has been shipped as part of...
View ArticleClik here to view.
NVD damage continued
There is something about having your product installed in over twenty billion instances all over the world and even out of the globe. In my case it helps me remain focused on and committed to working...
View ArticleClik here to view.
Making it harder to do wrong
You know I spend all my days working on curl and related matters. I also spend a lot of time thinking on the project; like how we do things and how we should do things. The security angle of this...
View ArticleThe I in LLM stands for intelligence
I have held back on writing anything about AI or how we (not) use AI for development in the curl factory. Now I can’t hold back anymore. Let me show you the most significant effect of AI on curl as of...
View ArticleClik here to view.
curl, Tor, dot onion and SOCKS
You can of course use curl to access hosts through Tor. (I know you know Tor so I am not going to explain it here.) SOCKS The typical way to access Tor is via a SOCKS5 proxy and curl has supported...
View ArticleTalk: Keeping the world from Burning
On Monday this week, I did a talk at the Nordic Software Security Summit conference in Stockholm Sweden. I titled it CVEMITRECVSSNVDCNAOSS WTF with the subtitle “Keeping the world from Burning”. The...
View Articlecurl bug-bounty stats
tldr: the curl bug-bounty has been an astounding success so far. We started the current curl bug-bounty setup in April 2019. We have thus run it for five and a half years give or take. In the...
View ArticleA twenty-five years old curl bug
I have talked about old curl bugs before, but now we have a new curl record. When we announced the security flaw CVE-2024-11053 on December 11, 2024 together with the release of curl 8.11.1 we fixed a...
View Article