[sylpheed:34520] Re: 3.1/Win32 and curl.exe
Gisle Vanem
gvanem at broadpark.no
Wed Apr 6 05:50:30 JST 2011
"Gene Goldenfeld" <genegold at fastmail.fm> wrote:
> Last night, Secunia PSI showed curl.exe, a file used by Sylpheed and
> another program I have, as "insecure." Sylpheed's version is 7.19.4.0
> and the new one is 7.21.4.0. I downloaded and copied it over. Today,
> Sylpheed opened alright, but several seconds later there was an error
> box, "curl.exe - unable to locate component. libssl32.dll not found.
> Reinstall the application.." Repeated it just to be sure. The odd thing
> is that libssl32.dll is not in the Sylpheed 3.1.0/Win32 package, as far
> as I can tell, and bringing it in just creates another curl.exe error
> message: "HMAC_clean up could not be located in the dynamic library
> libeay32.dll." I've gone back to 7.19.4.0 for now (with the
> libssl32.dll I downloaded still there). Ironically, a PSI scan
> afterward didn't find curl.exe 7.19.4 insecure, tho I wonder if it's
> just a matter of time before it does.
No, I've been using/building/contributing to curl and libcurl for years.
There aren't any backdoors or malware in it (if that what you insinuate).
What does Secunia PSI mean by "insecure"? I think this is a case of a false
positive, but hard to tell w/o any more info.
If your curl is outdated that isn't the fault of the curl/libcurl developer, but
rather you or the ones packaging the Sylpeed distro.
The problem with the missing "HMAC_clean()" is just the "DLL hell" problem.
You need to update both curl *and* the OpenSSL libs (libssl32.dll and libeay32.dll)
to current version (1.1.0 I think). I have libcurl, curl and OpenSSL installed here (in
fact I build these myself regularly... I don't trust software I cannot build myself :-))
I checked with "depends curl.exe"; It doesn't import anything resembling
"HMAC_clean" from libeay32.dll. I also checked the latest OpenSSL sources;
there isn't any function called "HMAC_clean()".
--gv
More information about the Sylpheed
mailing list