[3.4] curl: Incorrect reuse of client certificates (CVE-2016-7141)
libcurl built on top of NSS (Network Security Services) incorrectly
re-used client certificates if a
certificate from file was used for one TLS connection but no certificate
set for a subsequent TLS connection.
While the symptoms are similar to CVE-2016-5420 (Re-using connection
with wrong client cert),
this vulnerability was caused by an implementation detail of the NSS
backend in libcurl, which is orthogonal to the cause of CVE-2016-5420.
Affected versions:
libcurl 7.19.6 to and including 7.50.1
Reference:
https://curl.haxx.se/docs/adv\_20160907.html
Patch:
https://curl.haxx.se/CVE-2016-7141.patch
(from redmine: issue id 6134, created on 2016-09-12, closed on 2016-10-14)
- Relations:
- parent #6133 (closed)
- Changesets:
- Revision 5c97a953 by Natanael Copa on 2016-09-15T10:12:49Z:
main/curl: security upgrade to 7.50.2 (CVE-2016-7141)
fixes #6134