[Daniel's week] April 14, 2023

Daniel Stenberg daniel at haxx.se
Fri Apr 14 16:17:23 CEST 2023 

Hi friends.

As I had a four-day weekend last weekend this was a short week but still I 
managed to get a lot of things to happen...

## live-stream

I did another stream live-coding session [4] on Tuesday which was watched by
over 400 unique viewers. It's fun that they are appreciated and it makes me
motivated to keep doing them. My plan is to stick to doing weekly sessions on
Tuesday mornings my time, but I will adjust the schedule when needed.

This week I showed me working on trurl and curl stuff and it was rather
productive.

## haxx.se

An individual approach one of the Haxx co-owners and was very eager to
purchase the haxx.se domain name and offered us a total of 600,000 Euros. We
declined the offer as we have no plans on selling. I suppose the fact that the
domain name shows up on a lot of places all over the Internet might make it
worth something to some. This is **not** an invitation to send more offers.

## URL parser

Working on more URL management in the trurl tool made me go research the URL
parser code again and I ended up spending several hours on polishing it
further [8]. That exercise ended up removing a 80 lines of code and made my
URL parser benchmark program run 40% faster! Not too bad. It actually amazes
me a little that one can parse one of these URLs in less than 100 nanoseconds
on average (albeit on my fairly fast CPU).

## trurl

I tagged and announced another trurl release called 0.4 [7]. It features a few
more options and features and probably nothing that breaks use if you upgrade
from 0.3. It feels like we might already start to settling in on exactly how
it should work and the basic command line options are doing good.

It appears to me that there might be more features and functionality to offer
around URL queries as are a bit quirky and often the URL component people seem
to struggle and work with the most. Most of the latest new features have
improved and extended query management.

We surpassed 2,000 GitHub stars and even more distributions are now packaging
trurl.

## CVE

When I recently submitted a request for a CVE Id and we received
CVE-2023-27538 [1], I did it my usual way. I copy and pasted the first
paragraphs from the advisory draft into the request form describing the
issue. The request for a CVE is made using HackerOne as our CNA. Like we have
done for a while.

HackerOne edited this description ** and inserted an error ** in the text.  It
now starts with saying "An authentication bypass vulnerability exists in
libcurl v8.0.0" (while in fact 8.0.0 is the first fixed version.)

The result is that now NVD [2] and pretty much the entire world repeats this
mistake (I discovered it in Debian's version [3] of the advisory) since
everyone imports this description. Interestingly, the metadata below on the
NVD dataset is right so this is just an error in the description.

I've filed yet another support issue with HackerOne about this - and I am also
in talks with them about what I believe the shortages are in how they provide
this service. This is not the first beef I have had with Hackerone's CNA side.

I've also submitted a CVE update request to MITRE asking for the description
to get fixed.

NVD also calls this a ** severity medium ** flaw, but that's just the same old
issue with them doing their own assessment and they think this is a good
idea. I've actually complained to them about this as well, but that's a policy
of theirs that my opinions will not change.

## keynote

I have agreed to doing a twenty minute keynote and talk about curl at an event
next week here in Stockholm apparently angled towards EU peeps about Open
Source and related matters: Open Source Driving the European Digital Decade
[5]

## HTTP/2 with proxy

We merged additional code this week that now also allows the curl tool to
enable HTTP/2 with HTTPS proxies. I wrote up a blog post about it [6]. Can you
believe curl has supported this protocol version for almost ten years already?

## Coming up

- live-stream on Monday
- Keynote on Tuesday
- in Berlin Wednesday to Friday
- curl feature freeze begins on Thursday

## Links

[1] = https://curl.se/docs/CVE-2023-27538.html
[2] = https://nvd.nist.gov/vuln/detail/CVE-2023-27538
[3] = https://security-tracker.debian.org/tracker/CVE-2023-27538
[4] = https://youtu.be/fEgP6fsb-lY
[5] = https://openforumeurope.org/event/oss-swedish-eu-presidency/
[6] = https://daniel.haxx.se/blog/2023/04/14/curl-speaks-http-2-with-proxy/
[7] = https://github.com/curl/trurl/releases/tag/trurl-0.4
[8] = https://github.com/curl/curl/pull/10935


-- 

  / daniel.haxx.se

More information about the daniel mailing list