3 matches found
curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library which has the surprising side-effect that if an application sets up multiple concurrent transfers the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario this weakens transport security significantly.
...
CURL-CVE-2014-2522 not verifying certs for TLS to IP address / Schannel
When asked to do a TLS connection HTTPS, FTPS, IMAPS, etc to a URL specified with an IP address instead of a name, libcurl would wrongly not verify the server's name in the certificate. The signature whether it was signed by a trusted CA and validity whether the date was within the certificate's...
[Full-disclosure] Windows Oday release
dear all SChannel Off-By-One Heap Corruption =================================== Discovery Date: 28th August 2006 Date reported to Microsoft: 19th March 2007 Summary: The Secure Channel SChannel library on WinXP-SP1/SP2 is vulnerable to a off-by-one heap buffer overwrite. The SChannel library...