From ${URL} : After testing original CVE-2016-5420 patch, it was discovered that libcurl built on top of NSS (Network Security Services) still incorrectly re-uses client certificates if a certificate from file is used for one TLS connection but no certificate is set for a subsequent TLS connection. The original patch for CVE-2016-5420 has been amended to also contain the attached patch: https://curl.haxx.se/CVE-2016-5420.patch @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
According to https://curl.haxx.se/docs/adv_20160803B.html which is where that patch comes from, versions >= 7.50.1, which we are currently stabilizing, are not vulnerable.
(In reply to Anthony Basile from comment #1) > According to https://curl.haxx.se/docs/adv_20160803B.html which is where > that patch comes from, versions >= 7.50.1, which we are currently > stabilizing, are not vulnerable. Actually it looks like they forgot update the notice on the page because the modified patch is NOT in 7.50.1 but 7.50.2 which just got pushed out. I just added 7.50.2 and we should start rapid stabilization on it: KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA.
amd64 stable
@arch teams. Sorry we have to restart this again with 7.50.3. Please take a look at bug #593716.
Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47 by GLSA coordinator Thomas Deutschmann (whissi).