From ${URL} : Bugfixes: TLS: switch off SSL session id when client cert is used TLS: only reuse connections with the same client cert curl_multi_cleanup: clear connection pointer for easy handles @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
(In reply to Agostino Sarubbo from comment #0) > @maintainer(s): since the fixed package is already in the tree, please let > us know if it is ready for the stabilization or not. yes, start stabilization. KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
to be specific I think they mean 0.50.1...
(In reply to Matthew Thode ( prometheanfire ) from comment #2) > to be specific I think they mean 0.50.1... yes, we should have that in the title, i just assumed it was there.
amd64 stable
Stable for HPPA PPC64.
arm stable
Stable on alpha.
@remaining arch team. please halt, we need to start over with 7.50.2 because of an update to the fix to the cert vulnerability, see bug #592974. @security team. this bug is obsolete wrt to bug #592974. its the same vulnerability but the original fix was incomplete. i won't change the status on this bug report, but please act accordingly.
@arch teams, we need to start over with bug #593716 as yet another vulnerability was found.
CVE-2016-5421 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5421): Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors. CVE-2016-5420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5420): curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. CVE-2016-5419 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5419): curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
This issue was resolved and addressed in GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47 by GLSA coordinator Thomas Deutschmann (whissi).