""" VULNERABILITY curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (OCSP stapling) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check. INFO This issue is limited to curl built to use OpenSSL and when using TLS 1.2 only and not TLS 1.3. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-0853 to this issue. CWE-299: Improper Check for Certificate Revocation Severity: Low """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37801e438b1b11c3ec8c06678b647aea906c2d93 commit 37801e438b1b11c3ec8c06678b647aea906c2d93 Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2024-01-31 10:14:03 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-31 10:29:52 +0000 net-misc/curl: add 8.6.0 Bug: https://bugs.gentoo.org/923413 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Signed-off-by: Sam James <sam@gentoo.org> net-misc/curl/Manifest | 2 + net-misc/curl/curl-8.6.0.ebuild | 365 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 367 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=b04b4f7e697b62c8b67bd3c4bad5d6903b20f23f commit b04b4f7e697b62c8b67bd3c4bad5d6903b20f23f Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-09-23 05:53:30 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-09-23 05:53:40 +0000 [ GLSA 202409-20 ] curl: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/919325 Bug: https://bugs.gentoo.org/919889 Bug: https://bugs.gentoo.org/923413 Bug: https://bugs.gentoo.org/927960 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202409-20.xml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+)