[3.1] curl: Incorrect reuse of client certificates (CVE-2016-7141)
libcurl built on top of NSS (Network Security Services) incorrectly
re-used client certificates if a
certificate from file was used for one TLS connection but no certificate
set for a subsequent TLS connection.
While the symptoms are similar to CVE-2016-5420 (Re-using connection
with wrong client cert),
this vulnerability was caused by an implementation detail of the NSS
backend in libcurl, which is orthogonal to the cause of CVE-2016-5420.
Affected versions:
libcurl 7.19.6 to and including 7.50.1
Reference:
https://curl.haxx.se/docs/adv\_20160907.html
Patch:
https://curl.haxx.se/CVE-2016-7141.patch
(from redmine: issue id 6137, created on 2016-09-12, closed on 2016-10-14)
- Relations:
- parent #6133 (closed)
- Changesets:
- Revision 0b9606c7 on 2016-10-14T10:09:47Z:
main/curl: security fix (CVE-2016-7141). Fixes #6137
(cherry picked from commit 5d819a073fb59aa30d6f4614784fef677bb39a49)