[sylpheed:34522] Re: 3.1/Win32 and curl.exe

Gene Goldenfeld genegold at fastmail.fm
Wed Apr 6 09:12:50 JST 2011 

Given the information in the following link, I don't know why the
"insecure" didn't show up some months ago, but here's what I find
right now: http://secunia.com/advisories/39532/.  A search on "Curl"
will turn up some more going back.

As I say, the current version is now 7.21.4.0, but for Sylpheed I've
gone back to 7.19.4.0.  You can look around Secunia to understand
'insecure' better. They don't use that term for just any update. 

Gene





On Tue, 05 Apr 2011 22:50:30 +0200
Gisle Vanem <gvanem at broadpark.no> wrote:

> "Gene Goldenfeld" <genegold at fastmail.fm> wrote:
> 
> >  Last night, Secunia PSI showed curl.exe, a file used by Sylpheed
> > and another program I have, as "insecure."  Sylpheed's version is
> > 7.19.4.0 and the new one is 7.21.4.0.  I downloaded and copied it
> > over. Today, Sylpheed opened alright, but several seconds later
> > there was an error box, "curl.exe - unable to locate component.
> > libssl32.dll not found. Reinstall the application.."  Repeated it
> > just to be sure. The odd thing is that libssl32.dll is not in the
> > Sylpheed 3.1.0/Win32 package, as far as I can tell, and bringing it
> > in just creates another curl.exe error message: "HMAC_clean up
> > could not be located in the dynamic library libeay32.dll." I've
> > gone back to 7.19.4.0 for now (with the libssl32.dll I downloaded
> > still there). Ironically, a PSI scan afterward didn't find curl.exe
> > 7.19.4 insecure, tho I wonder if it's just a matter of time before
> > it does.  
> 
> No, I've been using/building/contributing to curl and libcurl for
> years. There aren't any backdoors or malware in it (if that what you
> insinuate). What does Secunia PSI mean by "insecure"? I think this is
> a case of a false positive, but hard to tell w/o any more info.
> 
> If your curl is outdated that isn't the fault of the curl/libcurl
> developer, but rather you or the ones packaging the Sylpeed distro. 
> 
> The problem with the missing "HMAC_clean()" is just the "DLL hell"
> problem. You need to update both curl *and* the OpenSSL libs
> (libssl32.dll and libeay32.dll) to current version (1.1.0 I think). I
> have libcurl, curl and OpenSSL installed here (in fact I build these
> myself regularly... I don't trust software I cannot build myself :-))
> 
> I checked with "depends curl.exe"; It doesn't import anything
> resembling "HMAC_clean" from libeay32.dll. I also checked the latest
> OpenSSL sources; there isn't any function called "HMAC_clean()".
> 
> --gv
>

More information about the Sylpheed mailing list