Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 923413 (CVE-2024-0853) - <net-misc/curl-8.6.0: OCSP verification bypass with TLS session reuse
Summary: <net-misc/curl-8.6.0: OCSP verification bypass with TLS session reuse
Status: RESOLVED FIXED
Alias: CVE-2024-0853
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://curl.se/docs/CVE-2024-0853.html
Whiteboard: B4 [glsa+]
Keywords:
Depends on: 926619
Blocks:
  Show dependency tree
 
Reported: 2024-01-31 10:29 UTC by Sam James
Modified: 2024-09-23 05:55 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-01-31 10:29:24 UTC
"""
VULNERABILITY

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check.
INFO

This issue is limited to curl built to use OpenSSL and when using TLS 1.2 only and not TLS 1.3.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-0853 to this issue.

CWE-299: Improper Check for Certificate Revocation

Severity: Low
"""
Comment 1 Larry the Git Cow gentoo-dev 2024-01-31 10:32:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37801e438b1b11c3ec8c06678b647aea906c2d93

commit 37801e438b1b11c3ec8c06678b647aea906c2d93
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2024-01-31 10:14:03 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-01-31 10:29:52 +0000

    net-misc/curl: add 8.6.0
    
    Bug: https://bugs.gentoo.org/923413
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/curl/Manifest          |   2 +
 net-misc/curl/curl-8.6.0.ebuild | 365 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 367 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-09-23 05:53:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b04b4f7e697b62c8b67bd3c4bad5d6903b20f23f

commit b04b4f7e697b62c8b67bd3c4bad5d6903b20f23f
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-09-23 05:53:30 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-09-23 05:53:40 +0000

    [ GLSA 202409-20 ] curl: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/919325
    Bug: https://bugs.gentoo.org/919889
    Bug: https://bugs.gentoo.org/923413
    Bug: https://bugs.gentoo.org/927960
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202409-20.xml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)