Package: curl Version: 7.36.0-1+b1 Severity: important Tags: security I suppose that though this is documented in the curl(1) man page (quite poorly), most users don't know that curl doesn't have any check for certificate revocation by default. Before the Heartbleed bug, this could be regarded a not very important. But now there may have been much more leaks than before. So, curl should use an up-to-date Certificate Revocation List by default (which it supports) or some other alternate method like Firefox.
As an example, https://www.cloudflarechallenge.com/ could be tried. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.11-2-amd64 (SMP w/2 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages curl depends on: ii libc6 2.18-4 ii libcurl3 7.36.0-1+b1 ii zlib1g 1:1.2.8.dfsg-1 curl recommends no packages. curl suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
