[arch-security] [ASA-201704-12] curl: certificate verification bypass
rgacogne at archlinux.org
Sat Apr 29 22:15:27 UTC 2017
Arch Linux Security Advisory ASA-201704-12
Date : 2017-04-29
CVE-ID : CVE-2017-7468
Package : curl
Type : certificate verification bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-241
The package curl before version 7.54.0-1 is vulnerable to certificate
Upgrade to 7.54.0-1.
# pacman -Syu "curl>=7.54.0-1"
The problem has been fixed upstream in version 7.54.0.
libcurl from 7.52.0 to and including 7.53.1 would attempt to resume a
TLS session even if the client certificate had changed. That is
unacceptable since a server by specification is allowed to skip the
client certificate check on resume, and may instead use the old
identity which was established by the previous certificate (or no
This flaw is a regression and identical to CVE-2016-5419 reported on
August 3rd 2016, but affecting a different version range.
An attacker can bypass a client certificate check by taking advantage
of TLS session resumption to reuse a previously established session.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-security