[manjaro-security] [arch-security] [ASA-201704-12] curl: certificate verification bypass

Remi Gacogne rgacogne at archlinux.org
Sun Apr 30 00:15:27 CEST 2017


Arch Linux Security Advisory ASA-201704-12
==========================================

Severity: Medium
Date    : 2017-04-29
CVE-ID  : CVE-2017-7468
Package : curl
Type    : certificate verification bypass
Remote  : Yes
Link    : https://security.archlinux.org/AVG-241

Summary
=======

The package curl before version 7.54.0-1 is vulnerable to certificate
verification bypass.

Resolution
==========

Upgrade to 7.54.0-1.

# pacman -Syu "curl>=7.54.0-1"

The problem has been fixed upstream in version 7.54.0.

Workaround
==========

None.

Description
===========

libcurl from 7.52.0 to and including 7.53.1 would attempt to resume a
TLS session even if the client certificate had changed. That is
unacceptable since a server by specification is allowed to skip the
client certificate check on resume, and may instead use the old
identity which was established by the previous certificate (or no
certificate).
This flaw is a regression and identical to CVE-2016-5419 reported on
August 3rd 2016, but affecting a different version range.

Impact
======

An attacker can bypass a client certificate check by taking advantage
of TLS session resumption to reuse a previously established session.

References
==========

https://curl.haxx.se/docs/adv_20170419.html
https://security.archlinux.org/CVE-2017-7468

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20170430/2f02eafa/attachment.pgp>


More information about the manjaro-security mailing list