> if there is such a bug, I'm sure someone will figure out how to get in touch with Daniel and co
replyNo, that is the point, they are not going to accept your vuln report. They are taking a holiday.
Except if you pay them for a support contract. So there is a way, and it's actually a pretty obvious way.
replyI wonder if the likes of Red Hat, SuSE and Canonical have a support contract as they are commercial redistributors.
replyThere's a pretty big difference between a random report submitted via email, and, say, a close friend of the maintainers letting them know a serious vuln was found and they should login.
replyCurl maintainers are clearly going to still be using computers to provide support for paid customers.
replyBut the message is pretty clear: if you’re not a paid customer, you are not getting patches or support from upstream during this month.
Plan accordingly.
Not if it's a real vacation. If it was me then there would be no way I'd log in. Maybe this will increase the sales of support contracts.
reply> curl is mature enough that the chance of an impactful bug is basically zero
replyCurl is also something that should be thoroughly sandboxed to begin with, because even if there are no vulnerabilities in curl itself, its a tool for downloading arbitrary data over the internet, and you may well accidentally trigger vulnerabilities in every other part of your environment just by downloading arbitrary data to your shell...