[arch-security] [ASA-201704-12] curl: certificate verification bypass
Arch Linux Security Advisory ASA-201704-12 ========================================== Severity: Medium Date : 2017-04-29 CVE-ID : CVE-2017-7468 Package : curl Type : certificate verification bypass Remote : Yes Link : https://security.archlinux.org/AVG-241 Summary ======= The package curl before version 7.54.0-1 is vulnerable to certificate verification bypass. Resolution ========== Upgrade to 7.54.0-1. # pacman -Syu "curl>=7.54.0-1" The problem has been fixed upstream in version 7.54.0. Workaround ========== None. Description =========== libcurl from 7.52.0 to and including 7.53.1 would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range. Impact ====== An attacker can bypass a client certificate check by taking advantage of TLS session resumption to reuse a previously established session. References ========== https://curl.haxx.se/docs/adv_20170419.html https://security.archlinux.org/CVE-2017-7468
participants (1)
-
Remi Gacogne