Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 610572 (CVE-2017-2629) - <net-misc/curl-7.53.0: SSL_VERIFYSTATUS ignored
Summary: <net-misc/curl-7.53.0: SSL_VERIFYSTATUS ignored
Alias: CVE-2017-2629
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: A4 [glsa cve]
Depends on:
Reported: 2017-02-22 15:58 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-06-04 12:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-22 15:58:40 UTC
From $URL:

curl and libcurl support "OCSP stapling", also known as the TLS Certificate Status Request extension (using the CURLOPT_SSL_VERIFYSTATUS option). When telling curl to use this feature, it uses that TLS extension to ask for a fresh proof of the server's certificate's validity. If the server doesn't support the extension, or fails to provide said proof, curl is expected to return an error.

Due to a coding mistake, the code that checks for a test success or failure, ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. Contrary to how it used to function and contrary to how this feature is documented to work.

This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality.

This flaw also exists in the command line tool (--cert-status).

We are not aware of any exploit of this flaw.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-22 16:00:36 UTC
@ Maintainer(s): Can we already start stabilization of =net-misc/curl-7.53.0?
Comment 2 Anthony Basile gentoo-dev 2017-02-22 23:28:08 UTC
(In reply to Thomas Deutschmann from comment #1)
> @ Maintainer(s): Can we already start stabilization of =net-misc/curl-7.53.0?

Yes. KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Michael Weber (RETIRED) gentoo-dev 2017-02-23 09:42:42 UTC
ppc64 stable
Comment 4 Michael Weber (RETIRED) gentoo-dev 2017-02-23 10:46:41 UTC
arm ppc stable.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-23 11:47:47 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2017-02-23 15:56:02 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-02-23 16:31:30 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-02-25 10:06:00 UTC
sparc stable
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2017-02-28 11:25:17 UTC
Stable on alpha.
Comment 10 Yury German Gentoo Infrastructure gentoo-dev 2017-03-07 21:40:37 UTC
ia64 please complete stabilization.

GLSA Vote: Yes
Starting GLSA writing process.
Comment 11 Agostino Sarubbo gentoo-dev 2017-03-11 17:18:54 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-03-28 02:52:01 UTC
This issue was resolved and addressed in
 GLSA 201703-04 at
by GLSA coordinator Yury German (BlueKnight).
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2017-03-28 02:53:11 UTC
Re Opening for cleanup.
Maintainer(s), please drop the vulnerable version(s).
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2017-04-11 05:40:03 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 12:41:55 UTC
Cleanup PR:
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-04 12:54:32 UTC
Repository is now clean, all done.