Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 592974 (CVE-2016-7141) - <net-misc/curl-7.50.2: Incorrect reuse of client certificates (CVE-2016-7141)
Summary: <net-misc/curl-7.50.2: Incorrect reuse of client certificates (CVE-2016-7141)
Status: RESOLVED FIXED
Alias: CVE-2016-7141
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: CVE-2016-7167
Blocks:
  Show dependency tree
 
Reported: 2016-09-06 08:08 UTC by Agostino Sarubbo
Modified: 2017-01-19 19:31 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-09-06 08:08:26 UTC
From ${URL} :

After testing original CVE-2016-5420 patch, it was discovered that libcurl built on top of NSS (Network Security Services) still incorrectly re-uses 
client certificates if a certificate from file is used for one TLS connection but no certificate is set for a subsequent TLS connection.

The original patch for CVE-2016-5420 has been amended to also contain the attached patch:

https://curl.haxx.se/CVE-2016-5420.patch


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Anthony Basile gentoo-dev 2016-09-06 19:21:56 UTC
According to https://curl.haxx.se/docs/adv_20160803B.html which is where that patch comes from, versions >= 7.50.1, which we are currently stabilizing, are not vulnerable.
Comment 2 Anthony Basile gentoo-dev 2016-09-07 09:06:18 UTC
(In reply to Anthony Basile from comment #1)
> According to https://curl.haxx.se/docs/adv_20160803B.html which is where
> that patch comes from, versions >= 7.50.1, which we are currently
> stabilizing, are not vulnerable.

Actually it looks like they forgot update the notice on the page because the modified patch is NOT in 7.50.1 but 7.50.2 which just got pushed out.

I just added 7.50.2 and we should start rapid stabilization on it:

KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-09-09 05:02:20 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2016-09-10 12:50:13 UTC
amd64 stable
Comment 5 Anthony Basile gentoo-dev 2016-09-15 08:27:02 UTC
@arch teams.  Sorry we have to restart this again with 7.50.3.  Please take a look at bug #593716.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2016-10-31 05:46:14 UTC
Added to an existing GLSA Request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:27:06 UTC
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2017-01-19 19:31:55 UTC
This issue was resolved and addressed in
 GLSA 201701-47 at https://security.gentoo.org/glsa/201701-47
by GLSA coordinator Thomas Deutschmann (whissi).