Home - Waterfall Grid T-Grid Console Builders Recent Builds Buildslaves Changesources - JSON API - About

Builder curl-threaded-solaris11-sparc Build #5937

Results:

Build successful

SourceStamp:

Projectcurl
Repositoryhttps://github.com/curl/curl.git
Branchmaster
Revisionbe6c4ee7faaa55c62567a8c3fb0f4e98a482292e
Got Revisionbe6c4ee7faaa55c62567a8c3fb0f4e98a482292e
Changes1 change

BuildSlave:

unstable11s

Reason:

The SingleBranchScheduler scheduler named 'schedule-curl-threaded-solaris11-sparc' triggered this build

Steps and Logfiles:

  1. git update ( 6 secs )
    1. stdio
  2. Runtest './tests/testcurl.pl --nogitpull ...' ( 24 mins, 23 secs )
    1. stdio
    2. resultlog
  3. Mail result 'cat resultlog ...' ( 0 secs )
    1. stdio

Build Properties:

NameValueSource
branch master Build
builddir /export/home/buildbot/slave/curl-threaded-solaris11-sparc slave
buildername curl-threaded-solaris11-sparc Builder
buildnumber 5937 Build
codebase Build
got_revision be6c4ee7faaa55c62567a8c3fb0f4e98a482292e Git
osplatform SPARC SetPropertyFromCommand Step
osrelease 11 SetPropertyFromCommand Step
project curl Build
repository https://github.com/curl/curl.git Build
revision be6c4ee7faaa55c62567a8c3fb0f4e98a482292e Build
scheduler schedule-curl-threaded-solaris11-sparc Scheduler
slavename unstable11s BuildSlave
workdir /export/home/buildbot/slave/curl-threaded-solaris11-sparc slave (deprecated)

Forced Build Properties:

NameLabelValue

Responsible Users:

  1. Joshua Rogers

Timing:

StartTue Jun 2 13:32:55 2026
EndTue Jun 2 13:57:27 2026
Elapsed24 mins, 31 secs

All Changes:

:

  1. Change #269196

    Category curl
    Changed by Joshua Rogers <MegaManSecohnoyoudont@users.noreply.github.com>
    Changed at Tue 02 Jun 2026 13:30:35
    Repository https://github.com/curl/curl.git
    Project curl
    Branch master
    Revision be6c4ee7faaa55c62567a8c3fb0f4e98a482292e

    Comments

    gtls: verify OCSP response signature in gtls_verify_ocsp_status
Since aeb1a281ca ("gtls: fix OCSP stapling management"), the function
parses the stapled OCSP response and reads the certificate status via
gnutls_ocsp_resp_get_single(), but never calls gnutls_ocsp_resp_verify()
or gnutls_ocsp_resp_verify_direct(). A response with a forged or
corrupted signature is accepted without question.

Fix by calling gnutls_ocsp_resp_verify() against the trust list obtained
from the session credentials immediately after gnutls_ocsp_resp_import().
This handles both directly-signed responses and delegated OCSP responders
without requiring the issuer certificate to be present in the peer chain.

The missing check only affects the CURLOPT_SSL_VERIFYSTATUS code path
when CURLOPT_SSL_VERIFYPEER is disabled. With peer verification enabled,
gnutls_certificate_verify_peers2() independently catches the invalid
response via GNUTLS_CERT_INVALID_OCSP_STATUS before
gtls_verify_ocsp_status() is reached. As a result, no attack is possible
that is not already trivially achievable without OCSP stapling when peer
verification is off. This is a correctness and consistency fix, not a
security vulnerability.

Reported-by: Joshua Rogers

Closes #21677

    Changed files

    • lib/vtls/gtls.c
BuildBot (0.8.14) working for the OpenCSW Buildbot project.
Page built: Tue 02 Jun 2026 23:19:40 (CEST)