Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 590482 (CVE-2016-5419, CVE-2016-5420, CVE-2016-5421)

Summary: <net-misc/curl-7.50.1: multiple vulnerabilities (CVE-2016-{5419,5420,5421})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: blueness, gregkh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://curl.haxx.se/changes.html
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 593716    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2016-08-04 15:34:34 UTC
From ${URL} :

Bugfixes:
TLS: switch off SSL session id when client cert is used
TLS: only reuse connections with the same client cert
curl_multi_cleanup: clear connection pointer for easy handles


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Anthony Basile gentoo-dev 2016-08-04 19:59:28 UTC
(In reply to Agostino Sarubbo from comment #0)
> @maintainer(s): since the fixed package is already in the tree, please let
> us know if it is ready for the stabilization or not.

yes, start stabilization.

KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-08-04 21:11:25 UTC
to be specific I think they mean 0.50.1...
Comment 3 Anthony Basile gentoo-dev 2016-08-04 21:53:14 UTC
(In reply to Matthew Thode ( prometheanfire ) from comment #2)
> to be specific I think they mean 0.50.1...

yes, we should have that in the title, i just assumed it was there.
Comment 4 Agostino Sarubbo gentoo-dev 2016-08-07 10:46:03 UTC
amd64 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-08-08 12:00:56 UTC
Stable for HPPA PPC64.
Comment 6 Markus Meier gentoo-dev 2016-08-12 19:21:38 UTC
arm stable
Comment 7 Tobias Klausmann (RETIRED) gentoo-dev 2016-09-02 19:21:47 UTC
Stable on alpha.
Comment 8 Anthony Basile gentoo-dev 2016-09-07 08:52:46 UTC
@remaining arch team.  please halt, we need to start over with 7.50.2 because of an update to the fix to the cert vulnerability, see bug #592974.

@security team.  this bug is obsolete wrt to bug #592974.  its the same vulnerability but the original fix was incomplete.  i won't change the status on this bug report, but please act accordingly.
Comment 9 Anthony Basile gentoo-dev 2016-09-15 08:29:32 UTC
@arch teams, we need to start over with bug #593716 as yet another vulnerability was found.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 15:17:32 UTC
CVE-2016-5421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5421):
  Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to
  control which connection is used or possibly have unspecified other impact
  via unknown vectors.

CVE-2016-5420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5420):
  curl and libcurl before 7.50.1 do not check the client certificate when
  choosing the TLS connection to reuse, which might allow remote attackers to
  hijack the authentication of the connection by leveraging a previously
  created connection with a different client certificate.

CVE-2016-5419 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5419):
  curl and libcurl before 7.50.1 do not prevent TLS session resumption when
  the client certificate has changed, which allows remote attackers to bypass
  intended restrictions by resuming a session.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:26:58 UTC
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:31:48 UTC
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).