Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 401655

Summary: net-misc/curl<7.23.1: SSL CBC IV vulnerability when built to use OpenSSL for the SSL/TLS layer (CVE-2011-3389, CVE-2012-0036)
Product: Gentoo Security Reporter: Viorel Tabara <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://curl.haxx.se/docs/adv_20120124B.html
Whiteboard: B3 [ebuild]
Package list:
Runtime testing required: ---

Description Viorel Tabara 2012-01-31 16:40:59 UTC 
curl is vulnerable to a SSL CBC IV vulnerability when built to use OpenSSL
  for the SSL/TLS layer.
 
  This vulernability has been identified (CVE-2011-3389) and is addressed by
  OpenSSL already as they have made a work-around to mitigate the problem.
  When doing so, they figured out that some servers didn't work with the
  work-around and offered a way to disable it.
 
  The bit used to disable the workaround was then added to the generic
  SSL_OP_ALL bitmask that SSL clients may use to enable work-arounds for
  better compatibility with servers. libcurl uses the SSL_OP_ALL bitmask.
 
  While SSL_OP_ALL is documented to enable "rather harmless" work-arounds, it
  does in this case effectively enable this security vulnerability again.
 
  There is no known exploit for this problem.

Reproducible: Always
Comment 1 Viorel Tabara 2012-01-31 16:53:35 UTC 

*** This bug has been marked as a duplicate of bug 400799 ***