curl -- authentication buffer overflow vulnerability.

Simon L. Nielsen simon at
Tue Mar 1 22:20:39 GMT 2005

On 2005.03.01 16:46:22 -0500, daniel quinn wrote:

> Affected package: curl-7.12.3_2
> Type of problem: curl -- authentication buffer overflow vulnerability.
> Reference:
> <>
>   # portupgrade curl
> and nothing happened.  i went looking around and found that the port hasn't
> been updated:
> so my question is:  "is this normal"?  i'm new to freebsd (formerly gentoo

Yes, that's quite normal.

> linux) and i'm not used to security warnings that can't be fixed right away.

The reason this happens is that security issues for the FreeBSD Ports
Collection are often documented before the fix for the port is
committed.  This done since when an issue is documented, it is already
public information, so we prefer to warn users sooner rather than
later.  This makes it possible for users them self to evaluate if they
are affected by the particular problem and if needed take whatever
measures they find appropriate (e.g. uninstall the program).  The
description and references you find for each documented security
vulnerability (which can be found on the web page in the portaudit
output) are there to help users judge the how and if they are

Whenever a security issue is documented the maintainer for the
particular port is informed, so it's up to the maintainer of the port
to fix the port.  In some cases, generally if the issue is very
serious, the Security Team might fix the issue without waiting for OK
from the port maintainer, but that's the exception.

BTW. note that issues with the base system is handled differently as
described on the "FreeBSD Security Information" [1] page.

> curl's website tells me that version 7.13.1 is available, so i'm thinking
> this is isolated to freebsd.

The issue is present on all operating systems which ship curl, not
just FreeBSD.  The latest version I can find is 7.13.0 which does not
have the issues fixed yet.

> should i be emailing the maintainer?  isn't that rude?  what are my
> options here?

In general (unless the normal procedure failed) the maintainer will
already know of a documented security issue, so the best you can do is
check if the issue is a problem for you (using the above reference)
and wait for the fix.  In most cases the issues are fixed rather

I hope this answers your questions.


Simon L. Nielsen
FreeBSD Security Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-ports mailing list