Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 923413 (CVE-2024-0853) - <net-misc/curl-8.6.0: OCSP verification bypass with TLS session reuse
Summary: <net-misc/curl-8.6.0: OCSP verification bypass with TLS session reuse
Alias: CVE-2024-0853
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B4 [stable?]
Depends on:
Reported: 2024-01-31 10:29 UTC by Sam James
Modified: 2024-01-31 10:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-01-31 10:29:24 UTC

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.

This issue is limited to curl built to use OpenSSL and when using TLS 1.2 only and not TLS 1.3.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-0853 to this issue.

CWE-299: Improper Check for Certificate Revocation

Severity: Low
Comment 1 Larry the Git Cow gentoo-dev 2024-01-31 10:32:41 UTC
The bug has been referenced in the following commit(s):

commit 37801e438b1b11c3ec8c06678b647aea906c2d93
Author:     Matt Jolly <>
AuthorDate: 2024-01-31 10:14:03 +0000
Commit:     Sam James <>
CommitDate: 2024-01-31 10:29:52 +0000

    net-misc/curl: add 8.6.0
    Signed-off-by: Matt Jolly <>
    Signed-off-by: Sam James <>

 net-misc/curl/Manifest          |   2 +
 net-misc/curl/curl-8.6.0.ebuild | 365 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 367 insertions(+)