Feddit.dk
  • Communities
  • Create Post
  • Create Community
  • heart
    Support Lemmy
  • search
    Search
  • Login
  • Sign Up
Harry Sintonen@infosec.exchange to Cybersecurity@fedia.io · 3 months ago

#cURL doesn't validate SSH host identity if known_hosts file is missing. I think this is a #vulnerability, but the project disagrees. Advisory is here:

message-square
message-square
5
link
fedilink
14
message-square

#cURL doesn't validate SSH host identity if known_hosts file is missing. I think this is a #vulnerability, but the project disagrees. Advisory is here:

Harry Sintonen@infosec.exchange to Cybersecurity@fedia.io · 3 months ago
message-square
5
link
fedilink

#cURL doesn’t validate SSH host identity if known_hosts file is missing. I think this is a #vulnerability, but the project disagrees. Advisory is here: https://sintonen.fi/advisories/curl-ssh-insufficient-host-identity-verification.txt

#infosec #cybersecurity #nocve

alert-triangle
You must log in or register to comment.
  • Harry Sintonen@infosec.exchangeOP
    link
    fedilink
    arrow-up
    3    ·
    3 months ago

    The latest curl version 8.12.0 (released today) is affected.

  • Dubiousx99@lemmy.world
    link
    fedilink
    arrow-up
    2    ·
    3 months ago

    This is a good post and article. It actually contains enough information to make an assessment about how this vulnerability equates to risk in our environments. I completely agree with the author that curl requests should fail if they can’t perform validation as defined being the default behavior.

  • SatyrSack@feddit.org
    link
    fedilink
    arrow-up
    2    ·
    3 months ago

    Are there any good curl forks?

    • Harry Sintonen@infosec.exchangeOP
      link
      fedilink
      arrow-up
      2      ·
      3 months ago

      @SatyrSack@feddit.org Curl will likely address this eventually even though they don’t consider it a vulnerability. See https://github.com/curl/curl/issues/16197

  • Gabriel N@infosec.exchange
    link
    fedilink
    arrow-up
    1    ·
    3 months ago

    @harrysintonen@infosec.exchange nice find, I don’t know how curl defines a vulnerability, but it definitely should have more warnings and preferably fail closed, although that might break quite a few systems which depend on this insecure behaviour

Cybersecurity@fedia.io

cybersecurity@fedia.io

Subscribe from Remote Instance

Create a post
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !cybersecurity@fedia.io

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Rules

Community Rules

  • Be kind
  • Limit promotional activities
  • Non-cybersecurity posts should be redirected to other communities within infosec.pub.
Visibility: Public
globe

This community can be federated to other instances and be posted/commented in by their users.

  • 10 users / day
  • 110 users / week
  • 436 users / month
  • 2K users / 6 months
  • 5 local subscribers
  • 5 subscribers
  • 1.07K Posts
  • 807 Comments
  • Modlog
  • mods:
  • shellsharks@fedia.io
  • tweedge@fedia.io
  • BE: 0.19.11
  • Modlog
  • Legal
  • Instances
  • Docs
  • Code
  • join-lemmy.org