curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
for the SSL/TLS layer.
This vulernability has been identified (CVE-2011-3389) and is addressed by
OpenSSL already as they have made a work-around to mitigate the problem.
When doing so, they figured out that some servers didn't work with the
work-around and offered a way to disable it.
The bit used to disable the workaround was then added to the generic
SSL_OP_ALL bitmask that SSL clients may use to enable work-arounds for
better compatibility with servers. libcurl uses the SSL_OP_ALL bitmask.
While SSL_OP_ALL is documented to enable "rather harmless" work-arounds, it
does in this case effectively enable this security vulnerability again.
There is no known exploit for this problem.
*** This bug has been marked as a duplicate of bug 400799 ***