curl-8.10.1

[Bruce Dubbs]

New minor version.

[Douglas R. Reno]

OCSP stapling bypass with GnuTLS
================================

Project curl Security Advisory, September 11th 2024 -
[Permalink](https://curl.se/docs/CVE-2024-8096.html)

VULNERABILITY
-------------

When curl is told to use the Certificate Status Request TLS extension, often
referred to as OCSP stapling, to verify that the server certificate is valid,
it might fail to detect some OCSP problems and instead wrongly consider the
response as fine.

If the returned status reports another error than "revoked" (like for example
"unauthorized") it is not treated as a bad certficate.

INFO
----

This issue only exists when curl is built to use the GnuTLS library. curl can
be made to use a large variety of TLS libraries and GnuTLS is not the most
common choice.

OCSP stapling is not a widely used feature on the open web, perhaps partly
because so many big name sites do not support it.

This bug is **not** considered a *C mistake* (likely to have been avoided had
we not been using C).

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2024-8096 to this issue.

CWE-295: Improper Certificate Validation

Severity: Medium

AFFECTED VERSIONS
-----------------

The vulnerable code can only be reached when curl is built to use GnuTLS.

- Affected versions: curl 7.41.0 to and including 8.9.1
- Not affected versions: curl < 7.41.0 and >= 8.10.0
- Introduced-in: https://github.com/curl/curl/commit/f13669a375f

libcurl is used by many applications, but not always advertised as such!

SOLUTION
------------

- Fixed-in: https://github.com/curl/curl/commit/aeb1a281cab13c7ba

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl and libcurl to version 8.10.0

 B - Apply the patch to your version and rebuild

 C - Build your curl with an unaffected TLS backend

TIMELINE
---------

This issue was reported to the curl project on August 19, 2024. We contacted
distros@openwall on September 3, 2024.

curl 8.10.0 was released on September 11 2024 around 06:00 UTC, coordinated
with the publication of this advisory.

CREDITS
-------

- Reported-by: Hiroki Kurosawa
- Patched-by: Daniel Stenberg

Thanks a lot!

Note that this does not affect a default BLFS system, but we do mention the options required to use GnuTLS. As a result I'll make sure to note that when the security advisory is filed.

[Douglas R. Reno]

Hold until 8.10.1 on Wednesday

Hello,

Just as we feared; among the ridiculous amount of changes and bugfixes we landed in 
8.10.0 we also let a few regressions slip in. Some of them nasty enough to warrant a 
patch release.

Thus: we now focus and aim for a 8.10.1 release on Wednesday September 18. It gives us a 
few more days to gather issues, merge bugfixes and then to get our release ducks in 
order without rushing anything.

So please: if you find an ever so small issue with 8.10.0, please let us know asap and 
we might have a change to fix it really quicky.

Thanks for flying curl. Never a dull moment. 

[Douglas R. Reno]

Now 8.10.1. This ticket should now be doable

[Rahul Chandra]

SA-12.2-013 Issued

[Rahul Chandra]

Fixed @
db65d99b0decdc2b38ab9596db7a6f4ed49047f9 - protobuf-28.2
4d0a4263abf0a00d5050953caa5bbeba0940fb78 - libpng-1.6.44
3a37e2f6cde8f490ee87dfce68a590ab817dc834 - bluez-5.78
befaab0a59b34bd4f25b5dd9cb86a09fe64bf87d - librsvg-2.58.4
d65e019e26c4128e3a01a6a549900e8f96ea1cb3 - curl-8.10.1 (Security Update).
1aa3576106248285dcf02e640d8a3dc660d864a6 - qemu-9.1.0
5216c76c32d250b0acf96b2b7e6d3df2e1d3956c - power-profiles-daemon-0.23

[Douglas R. Reno]

Release notes for 8.10.0:

Changes:

    autotools: add `--enable-windows-unicode` option
    curl: --help [option] displays documentation for given cmdline option
    curl: add --skip-existing
    curl: for -O, use "default" as filename when the URL has none
    curl: make --rate accept "number of units"
    curl: make --show-headers the same as --include
    curl: support --dump-header % to direct to stderr
    curl: support embedding a CA bundle and --dump-ca-embed
    curl: support repeated use of the verbose option; -vv etc
    curl: use libuv for parallel transfers with --test-event
    getinfo: add CURLINFO_POSTTRANSFER_TIME_T
    mbedtls: add CURLOPT_TLS13_CIPHERS support
    rustls: add support for setting TLS version and ciphers
    vtls: stop offering alpn http/1.1 for http2-prior-knowledge
    wolfssl: add CURLOPT_TLS13_CIPHERS support
    wolfssl: add support for ssl cert blob / ssl key blob options 

Bugfixes:

    asyn-thread: stop using GetAddrInfoExW on Windows
    autotools: fix MS-DOS builds
    autotools: fix typo in tests/data target
    aws_sigv4: fix canon order for headers with same prefix
    bearssl: fix setting tls version
    bearssl: improve shutdown handling
    BINDINGS: add zig binding
    build: add `iphlpapi` lib for libssh on Windows
    build: add `poll()` detection for cross-builds
    build: add options to disable SHA-512/256 hash algo
    build: check OS-native IDN first, then libidn2
    build: delete unused `REQUIRE_LIB_DEPS`
    build: drop unused `NROFF` reference
    build: drop unused feature-detection code for Apple `poll()`
    build: generate `buildinfo.txt` for test logs
    build: improve compiler version detection portability
    build: make `CURL_FORMAT_CURL_OFF_T[U]` work with mingw-w64 <=7.0.0
    build: silence C4232 MSVC warnings in vcpkg ngtcp2 builds
    build: use -Wno-format-overflow
    buildconf.bat: fix tool_hugehelp.c generation
    cf-socket: fix pollset for listening
    cf-socket: prevent KEEPALIVE_FACTOR being set to 1000 for Windows
    cfilters: send flush
    CHANGES: rename to CHANGES.md, no longer generated
    CI: enable parallel testing in CI builds
    ci: Update actions/upload-artifact digest to 89ef406
    cmake: `Libs.private` improvements
    cmake: add `CURL_USE_PKGCONFIG` option
    cmake: add Linux CI job, fix pytest with cmake
    cmake: add math library when using wolfssl and ngtcp2
    cmake: add missing `pkg-config` hints to Find modules
    cmake: add missing version detection to Find modules
    cmake: add rustls
    cmake: add support for versioned symbols option
    cmake: add wolfSSH support
    cmake: allow `pkg-config` in more envs
    cmake: cleanup header paths
    cmake: default `CURL_DISABLE_LDAPS` to the value of `CURL_DISABLE_LDAP`
    cmake: delete MSVC warning suppression for tests/server
    cmake: detect `nghttp2` via `pkg-config`, enable by default
    cmake: detect and show VCPKG in platform flags
    cmake: distcheck for files in CMake subdir
    cmake: drop custom `CMakeOutput.log`/`CMakeError.log` logs
    cmake: drop libssh CONFIG-style detection
    cmake: drop no-op `tests/data/CMakeLists.txt`
    cmake: drop reference to undefined variable
    cmake: drop unused `HAVE_IDNA_STRERROR`
    cmake: drop unused internal variable
    cmake: exclude tests/http/clients builds by default
    cmake: fix `GSS_VERSION` for Heimdal found via pkg-config
    cmake: fix `pkg-config`-based detection in `FindGSS.cmake`
    cmake: fix and tidy up c-ares builds, enable in more CI jobs
    cmake: fix find rustls
    cmake: fixup linking libgsasl when detected via CMake-native
    cmake: honor custom `CMAKE_UNITY_BUILD_BATCH_SIZE`
    cmake: limit `pkg-config` to UNIX and MSVC+vcpkg by default
    cmake: limit libidn2 `pkg-config` detection to `UNIX`
    cmake: migrate dependency detections to Find modules
    cmake: more small tidy-ups and fixes
    cmake: rename wolfSSL and zstd config variables to uppercase
    cmake: respect cflags/libdirs of native pkg-config detections
    cmake: show CMake platform/compiler flags
    cmake: show warning if libpsl is not found
    cmake: sync code between test/example targets
    cmake: sync up formatting in Find modules
    cmake: TLS 1.3 warning only for bearssl and sectranp
    cmake: update `curl-config.cmake.in` template var list
    cmake: update list of "advanced" variables
    cmake: use numeric comparison for `HAVE_WIN32_WINNT`
    cmdline-opts: language fix for expect100-timeout.md and max-time.md
    configure: delete unused `CURL_DEFINE_UNQUOTED` function
    configure: delete unused `HAVE_OPENSSL3` macro
    configure: delete unused `m4/xc-translit.m4`
    configure: detect AppleIDN
    configure: fail if PSL is not disabled but not found
    configure: fix WinIDN builds targeting old Windows
    configure: remove USE_EXPLICIT_LIB_DEPS
    configure: replace nonportable grep -o with awk
    connect: always prefer ipv6 in IP eyeballing
    connect: limit update IP info
    cookie.md: try to articulate the two different uses this option has
    curl: allow 500MB data URL encode strings
    curl: find curlrc in XDG_CONFIG_HOME without leading dot
    curl: fix --proxy-pinnedpubkey
    curl: fix the -w urle.* variables
    curl: make the progress bar detect terminal width changes
    curl: warn on unsupported SSL options
    Curl_rand_bytes to control env override
    curl_sha512_256: fix symbol collisions with nettle library
    CURLMOPT_SOCKETFUNCTION.md: expand on the easy argument
    CURLOPT_XFERINFOFUNCTION: clarify the callback return codes
    dist: add missing `docs/examples/CMakeLists.txt`
    dist: add missing `FindNettle.cmake`
    dist: add missing `lib/optiontable.pl`
    dist: add missing `test_*.py` scripts
    dist: drop buildconf
    dist: fix reproducible build from release tarball
    dmaketgz: only run 'make distclean' if Makefile exists
    docs/SSLCERTS: rewrite
    docs: add description of effect of --location-trusted on cookie
    docs: document the (weak) random value situation in rustls builds
    docs: fix some examples in man pages
    docs: improve cipher options documentation
    docs: mention "@-" in more places
    docs: remove ALTSVC.md, HSTS.md, HTTP2.md and PARALLEL-TRANSFERS.md
    docs: update CIPHERS.md
    doh-url.md: point out DOH server IP pinning
    doh: remove redundant checks
    easy: fix curl_easy_upkeep for shared connection caches
    escape: allow curl_easy_escape to generate 3*input length output
    FEATURES.md: fix typo
    ftp: always offer line end conversions
    ftp: flush pingpong before response
    getinfo: return zero for unsupported options (when disabled)
    GHA/windows: enable MulitSSL in an MSVC job
    GHA: scan git repository and detect unvetted binary files
    gnutls/wolfssl: improve error message when certificate fails
    gnutls: send all data
    gtls: fix OCSP stapling management
    haproxy: send though next filter
    hash: provide asserts to verify API use
    http/2: simplify eos/blocked handling
    http2+h3 filters: fix ctx init
    http2: fix GOAWAY message sent to server
    http2: improve rate limiting of downloads
    http2: improved upload eos handling
    http3.md: mention how the fallback can be h1 or h2
    hyper: call Curl_req_set_upload_done()
    idn: more strictly check AppleIDN errors
    idn: support non-UTF-8 input under AppleIDN
    INSTALL.md: MultiSSL and QUIC are mutually exclusive
    KNOWN_BUGS: "special characers" in URL works with aws-sigv4
    krb5: add Linux/macOS CI tests, fix cmake GSS detection
    krb5: fix `-Wcast-align`
    lib: add eos flag to send methods
    lib: avoid macro collisions between wolfSSL and GnuTLS headers
    lib: convert some debugf()s into traces
    lib: delete stray undefs for `vsnprintf`, `vsprintf`
    lib: fix AIX build issues
    lib: fix building with wolfSSL without DES support
    lib: make SSPI global symbols use Curl_ prefix
    lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name
    lib: remove the final strncpy() calls
    lib: remove use of RANDOM_FILE
    libcurl.def: move from / into lib
    libcurl.pc: add `Cflags.private`
    libcurl.pc: add reference to `libgsasl`
    libcurl/docs: expand on redirect following and secrets to other hosts
    llist: remove direct struct accesses, use only functions
    Makefile.dist: fix `ca-firefox` target
    Makefile.mk: fixup enabling libidn2
    Makefile: remove 'scripts' duplicate from DIST_SUBDIRS
    maketgz: accept option to include latest commit hash
    maketgz: fix RELEASE-TOOLS.md for daily tarballs
    maketgz: move from / into scripts
    managen: fix superfluous leading blank line in quoted sections
    managen: in man output, remove the leading space from examples
    managen: wordwrap long example lines in ASCII output
    manpage: ensure a maximum width for the text version
    max-filesize.md: mention zero disables the limit
    mbedtls: add more informative logging
    mbedtls: fix setting tls version
    mbedtls: no longer use MBEDTLS_SSL_VERIFY_OPTIONAL
    mime: avoid inifite loop in client reader
    mk-ca-bundle.pl: include a link to the caextract webpage
    multi: make the "general" list of easy handles a Curl_llist
    multi: on socket callback error, remove socket hash entry nonetheless
    ngtcp2/osslq: remove NULL pointer dereferences
    ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks
    openssl quic: fix memory leak
    openssl: certinfo errors now fail correctly
    openssl: fix the data race when sharing an SSL session between threads
    openssl: improve shutdown handling
    pingpong: drain the input buffer when reading responses
    POP3: fix multi-line responses
    pop3: use the protocol handler ->write_resp
    printf: fix mingw-w64 format checks
    progress: ratelimit/progress tweaks
    pytests: add tests for HEAD requests in all HTTP versions
    rand: only provide weak random when needed
    runtests: if DISABLED cannot be read, error out
    runtests: log ignored but passed tests
    runtests: remove "has_textaware"
    rustls: fix setting tls version
    rustls: make all tests pass
    schannel: avoid malloc for CAinfo_blob_digest
    scorecard: tweak request measurements
    sectransp: fix setting tls version
    SECURITY: mention OpenSSF best practices gold badge
    setopt: allow CURLOPT_INTERFACE to be set to NULL
    setopt: let CURLOPT_ECH set to NULL reset to default
    setopt: make CURLOPT_TFTP_BLKSIZE accept bad values
    sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL
    share: don't reinitialize conncache
    sigpipe: init the struct so that first apply ignores
    smb: convert superflous assign into assert
    smtp: add tracing feature
    splay: use access functions, add asserts, use Curl_timediff
    spnego_gssapi: implement TLS channel bindings for openssl
    src: delete `curlx_m*printf()` aliases
    src: fix potential macro confusion in cmake unity builds
    src: namespace symbols clashing with lib
    src: replace copy of printf mappings with an include
    ssh: deduplicate SSH backend includes (and fix libssh cmake unity build)
    system_win32: fix typo
    test httpd: tweak cipher list
    test1521: verify setting options to NULL better
    test1707: output diff more for debugging differences in CI outputs
    test556: improve robustness
    test579: improve robustness
    test587: improve robustness
    test649: improve robustness
    test677: improve robustness
    tests/runner: only allow [!A-Za-z0-9_-] in %if feature names
    tests: constrain http pytest to tests/http directory
    tests: don't mangle output if hostname or type unknown
    tests: ignore QUIT from FTP protocol comparisons
    tests: provide docs as curldown, not nroff
    tidy-up: misc build, tests, `lib/macos.c`
    tidy-up: OS names
    tool_operhlp: fix "potentially uninitialized local variable 'pc' used"
    tool_paramhlp: bump maximum post data size in memory to 16GB
    transfer: Curl_sendrecv() and event related improvements
    transfer: remove comments, add asserts
    transfer: skip EOS read when download done
    url: dns_entry related improvements
    url: fix connection reuse for HTTP/2 upgrades
    urlapi: verify URL *decoded* hostname when set
    urldata: introduce `data->mid`, a unique identifier inside a multi
    urldata: remove 'scratch' from the UrlState struct
    urldata: remove crlf_conversions counter
    urldata: remove proxy_connect_closed bit
    verify-release: shell script that verifies a release tarball
    version: fix shadowing a `libssh.h` symbol
    vtls: add SSLSUPP_CIPHER_LIST
    vtls: fix MSVC 'cast truncates constant value' warning
    vtls: fix static function name collisions between TLS backends
    vtls: init ssl peer only once
    websocket: introduce blocking sends
    wolfssl: avoid taking cached x509 store ref if sslctx already using it
    wolfssl: fix CURLOPT_SSLVERSION
    wolfssl: fix setting tls version
    wolfssl: improve shutdown handling
    ws: flags to opcodes should ignore CURLWS_CONT flag
    x509asn1: raise size limit for x509 certification information 

Release notes for 8.10.1:

Bugfixes:

    autotools: fix `--with-ca-embed` build rule
    cmake: ensure `CURL_USE_OPENSSL`/`USE_OPENSSL_QUIC` are set in sync
    cmake: fix MSH3 to appear on the feature list
    connect: store connection info when really done
    CURLMOPT_TIMERFUNCTION.md: emphasize that only a single timer should run
    FTP: partly revert eeb7c1280742f5c8fa48a4340fc1e1a1a2c7075a
    http2: when uploading data from stdin, fix eos forwarding
    http: make max-filesize check not count ignored bodies
    lib: fix AF_INET6 use outside of USE_IPV6
    libcurl-docs: CURLINFO_LOCAL_* work for QUIC as well as TCP
    multi: check that the multi handle is valid in curl_multi_assign
    QUIC: on connect, keep on trying on draining server
    request: correctly reset the eos_sent flag
    runtests: accecpt 'quictls' as OpenSSL compatible
    rustls: fixed minor logic bug in default cipher selection
    rustls: rustls-ffi 0.14.0 update
    rustls: support strong CSRNG data
    setopt: remove superfluous use of ternary expressions
    singleuse: drop `Curl_memrchr()` for no-HTTP builds
    test537: cap the rlimit max this test runs
    tests: tweak lock file handling and timers
    tool_cb_wrt: use "curl_response" if no file name in URL
    transfer: fix sendrecv() without interim poll
    vtls: fix `Curl_ssl_conn_config_match` doc param