MGASA-2016-0285

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2016-0285.html

Import Source

https://advisories.mageia.org/MGASA-2016-0285.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2016-0285

Related

Published

2016-08-31T15:32:33Z

Modified

2016-08-31T15:20:31Z

Summary

Updated curl packages fix security vulnerability

Details

libcurl before 7.50.1 would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate) (CVE-2016-5419).

In libcurl before 7.50.1, when using a client certificate for a connection that was then put into the connection pool, that connection could then wrongly get reused in a subsequent request to that same server. This mistakenly using the wrong connection could lead to applications sending requests to the wrong realms of the server using authentication that it wasn't supposed to have for those operations (CVE-2016-5420).

libcurl before 7.50.1 is vulnerable to a use-after-free flaw in curleasyperform() (CVE-2016-5421).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / curl

Package

Name: curl
Purl: pkg:rpm/mageia/curl?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.40.0-3.4.mga5

Ecosystem specific

{
    "section": "core"
}