From: Daniel Stenberg Date: Tue, 29 Apr 2025 09:10:19 +0000 (+0200) Subject: VULN-DISCLOSURE-POLICY: use of weak algos X-Git-Tag: curl-8_14_0~179 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f57c2ea95c70cd8985335e7c39e383499963474;p=thirdparty%2Fcurl.git VULN-DISCLOSURE-POLICY: use of weak algos Not necessarily security problems. Closes #17220 --- diff --git a/.github/scripts/spellcheck.words b/.github/scripts/spellcheck.words index 17b891ca1a..1d44eb9625 100644 --- a/.github/scripts/spellcheck.words +++ b/.github/scripts/spellcheck.words @@ -176,6 +176,7 @@ DELE DER dereference dereferences +DES deselectable deserialization Deserialized diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md index 35063053d2..23deb6b8fa 100644 --- a/docs/VULN-DISCLOSURE-POLICY.md +++ b/docs/VULN-DISCLOSURE-POLICY.md @@ -337,3 +337,13 @@ A *legacy dependency* is here defined as: - there are modern versions of equivalent or better functionality offered and in common use + +## weak algorithms required for functionality + +curl supports several algorithms that are considered weak, like DES and MD5. +These algorithms are still not curl security vulnerabilities or security +problems as they are only used when the users explicitly ask for their use by +using the protocols or options that require the use of those algorithms. + +When servers upgrade to use secure alternatives, curl users should use those +options/protocols. diff --git a/docs/libcurl/opts/CURLOPT_HTTPAUTH.md b/docs/libcurl/opts/CURLOPT_HTTPAUTH.md index 268d8599d6..1146cab17e 100644 --- a/docs/libcurl/opts/CURLOPT_HTTPAUTH.md +++ b/docs/libcurl/opts/CURLOPT_HTTPAUTH.md @@ -80,8 +80,7 @@ HTTP NTLM authentication. A proprietary protocol invented and used by Microsoft. It uses a challenge-response and hash concept similar to Digest, to prevent the password from being eavesdropped. -You need to build libcurl with either OpenSSL or GnuTLS support for this -option to work, or build libcurl on Windows with SSPI support. +NTLM uses weak cryptographic algorithms and is not considered secure. ## CURLAUTH_NTLM_WB