[Secure-testing-team] Bug#745837: curl should use a Certificate Revocation List by default
Vincent Lefevre
vincent at vinc17.net
Fri Apr 25 17:54:36 UTC 2014
Package: curl
Version: 7.36.0-1+b1
Severity: important
Tags: security
I suppose that though this is documented in the curl(1) man page
(quite poorly), most users don't know that curl doesn't have any
check for certificate revocation by default. Before the Heartbleed
bug, this could be regarded a not very important. But now there
may have been much more leaks than before. So, curl should use an
up-to-date Certificate Revocation List by default (which it supports)
or some other alternate method like Firefox.
As an example, https://www.cloudflarechallenge.com/ could be tried.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.11-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages curl depends on:
ii libc6 2.18-4
ii libcurl3 7.36.0-1+b1
ii zlib1g 1:1.2.8.dfsg-1
curl recommends no packages.
curl suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list