mirror of
https://github.com/curl/curl.git
synced 2026-07-16 00:47:17 +03:00
VULN-DISCLOSURE-POLICY: use of weak algos
Not necessarily security problems. Closes #17220
This commit is contained in:
parent
2fa3d528ae
commit
9f57c2ea95
3 changed files with 12 additions and 2 deletions
1
.github/scripts/spellcheck.words
vendored
1
.github/scripts/spellcheck.words
vendored
|
|
@ -176,6 +176,7 @@ DELE
|
|||
DER
|
||||
dereference
|
||||
dereferences
|
||||
DES
|
||||
deselectable
|
||||
deserialization
|
||||
Deserialized
|
||||
|
|
|
|||
|
|
@ -337,3 +337,13 @@ A *legacy dependency* is here defined as:
|
|||
|
||||
- there are modern versions of equivalent or better functionality offered and
|
||||
in common use
|
||||
|
||||
## weak algorithms required for functionality
|
||||
|
||||
curl supports several algorithms that are considered weak, like DES and MD5.
|
||||
These algorithms are still not curl security vulnerabilities or security
|
||||
problems as they are only used when the users explicitly ask for their use by
|
||||
using the protocols or options that require the use of those algorithms.
|
||||
|
||||
When servers upgrade to use secure alternatives, curl users should use those
|
||||
options/protocols.
|
||||
|
|
|
|||
|
|
@ -80,8 +80,7 @@ HTTP NTLM authentication. A proprietary protocol invented and used by
|
|||
Microsoft. It uses a challenge-response and hash concept similar to Digest, to
|
||||
prevent the password from being eavesdropped.
|
||||
|
||||
You need to build libcurl with either OpenSSL or GnuTLS support for this
|
||||
option to work, or build libcurl on Windows with SSPI support.
|
||||
NTLM uses weak cryptographic algorithms and is not considered secure.
|
||||
|
||||
## CURLAUTH_NTLM_WB
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue