libcurl vulnerability
Matthew Seaman
matthew at FreeBSD.org
Wed Sep 7 13:30:33 UTC 2016
On 2016/09/07 13:47, Gerard Seibert wrote:
> Does this vulnerability affect FreeBSD?
The ftp/curl port will be built against the base system copy of openssl
by default, in which case this vulnerability won't affect it.
You can configure the port to link against libnss3.so in which case curl
presumably would be vulnerable. The latest VuXML entry for curl
https://vuxml.freebsd.org/freebsd/e4bc70fc-5a2f-11e6-a1bc-589cfc0654e1.html
only mentions CVE-2016-5420, and there doesn't appear to be anything
relevant listed against nss. Plus the version of curl in the ports at
the moment predates the fix in version 7.50.2. I'd assume curl is
vulnerable if it is built with the NSS option turned on and if the nss
port is installed.
Please do raise a PR to report this to the maintainer of the curl port.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160907/8a53bf47/attachment.sig>
More information about the freebsd-questions
mailing list