|Summary:||<net-misc/curl-7.53.0: SSL_VERIFYSTATUS ignored|
|Product:||Gentoo Security||Reporter:||Thomas Deutschmann (RETIRED) <whissi>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||A4 [glsa cve]|
|Runtime testing required:||---|
Description Thomas Deutschmann (RETIRED) 2017-02-22 15:58:40 UTC
From $URL: curl and libcurl support "OCSP stapling", also known as the TLS Certificate Status Request extension (using the CURLOPT_SSL_VERIFYSTATUS option). When telling curl to use this feature, it uses that TLS extension to ask for a fresh proof of the server's certificate's validity. If the server doesn't support the extension, or fails to provide said proof, curl is expected to return an error. Due to a coding mistake, the code that checks for a test success or failure, ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. Contrary to how it used to function and contrary to how this feature is documented to work. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status). We are not aware of any exploit of this flaw.
Comment 1 Thomas Deutschmann (RETIRED) 2017-02-22 16:00:36 UTC
@ Maintainer(s): Can we already start stabilization of =net-misc/curl-7.53.0?
Comment 2 Anthony Basile 2017-02-22 23:28:08 UTC
(In reply to Thomas Deutschmann from comment #1) > @ Maintainer(s): Can we already start stabilization of =net-misc/curl-7.53.0? Yes. KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Michael Weber (RETIRED) 2017-02-23 09:42:42 UTC
Comment 4 Michael Weber (RETIRED) 2017-02-23 10:46:41 UTC
arm ppc stable.
Comment 5 Jeroen Roovers (RETIRED) 2017-02-23 11:47:47 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo 2017-02-23 15:56:02 UTC
Comment 7 Agostino Sarubbo 2017-02-23 16:31:30 UTC
Comment 8 Agostino Sarubbo 2017-02-25 10:06:00 UTC
Comment 9 Tobias Klausmann (RETIRED) 2017-02-28 11:25:17 UTC
Stable on alpha.
Comment 10 Yury German 2017-03-07 21:40:37 UTC
ia64 please complete stabilization. GLSA Vote: Yes Starting GLSA writing process.
Comment 11 Agostino Sarubbo 2017-03-11 17:18:54 UTC
ia64 stable. Maintainer(s), please cleanup.
Comment 12 GLSAMaker/CVETool Bot 2017-03-28 02:52:01 UTC
This issue was resolved and addressed in GLSA 201703-04 at https://security.gentoo.org/glsa/201703-04 by GLSA coordinator Yury German (BlueKnight).
Comment 13 Yury German 2017-03-28 02:53:11 UTC
Re Opening for cleanup. Maintainer(s), please drop the vulnerable version(s).
Comment 14 Yury German 2017-04-11 05:40:03 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 15 Thomas Deutschmann (RETIRED) 2017-06-04 12:41:55 UTC
Cleanup PR: https://github.com/gentoo/gentoo/pull/4846
Comment 16 Thomas Deutschmann (RETIRED) 2017-06-04 12:54:32 UTC
Repository is now clean, all done.