CVE-2016-5419: curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended…

CVE-2017-7468 [HIGH] CWE-295 curl: TLS session resumption client cert bypass curl: TLS session resumption client cert bypass In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range. Package: r

CVE-2017-7468 [HIGH] CVE-2017-7468: curl - In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to res... In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range. Scope: local bookworm: resolved (fixed in 7.52.1-5) bullseye

CVE-2016-5419 [HIGH] CVE-2016-5419: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite Apple Security Update: About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite Product: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite CVE: CVE-2016-5419 Component: CVE-2016-5419

CVE-2016-5419 [HIGH] CVE-2016-5419: Android Security Bulletin 2016-12-01 CVE: CVE-2016-5419 Severity: HIGH Affected AOSP versions: 7 Android Security Bulletin 2016-12-01 CVE: CVE-2016-5419 Severity: HIGH Affected AOSP versions: 7.0 References: A-31271247

CVE-2016-5419 [HIGH] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Bru Rom discovered that curl incorrectly handled client certificates when resuming a TLS session. (CVE-2016-5419) It was discovered that curl incorrectly handled client certificates when reusing TLS connections. (CVE-2016-5420) Marcelo Echeverria and Fernando Muñoz discovered that curl incorrectly reused a connection struct, contrary to expectations. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5421) Instructions: In general, a standard system update will make all the necessary changes.

CVE-2016-5419 [HIGH] CWE-295 curl: TLS session resumption client cert bypass curl: TLS session resumption client cert bypass curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. It was found that the libcurl library did not prevent TLS session resumption when the client certificate had changed. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. Package: rh-dotnetcore10-curl (.NET Core 1.0 on Red Hat Enterprise Linux) - Out of support scope Package: rh-dotnetcore11-curl (.NET Core 1.1 on Red Hat Enterprise Linux) - Out of support scope Package: rh-dotnet20-curl (.NET Core 2.0 on Red Hat Enterprise Lin

CVE-2016-5419 [HIGH] CVE-2016-5419: curl - curl and libcurl before 7.50.1 do not prevent TLS session resumption when the cl... curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. Scope: local bookworm: resolved (fixed in 7.50.1-1) bullseye: resolved (fixed in 7.50.1-1) forky: resolved (fixed in 7.50.1-1) sid: resolved (fixed in 7.50.1-1) trixie: resolved (fixed in 7.50.1-1)

CVE-2016-5419 [HIGH] GHSA-j5mq-cppw-g9w7: curl and libcurl before 7 curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.

CVE-2017-7468 [HIGH] CWE-295 GHSA-5v44-xcm9-r9jw: In curl and libcurl 7 In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.

CVE-2017-7468 [HIGH] CVE-2017-7468: In curl and libcurl 7 In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.

CVE-2016-5419 [HIGH] CVE-2016-5419: curl and libcurl before 7 curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.

CVE-2016-5419 [HIGH] curl vulnerabilities curl vulnerabilities Bru Rom discovered that curl incorrectly handled client certificates when resuming a TLS session. (CVE-2016-5419) It was discovered that curl incorrectly handled client certificates when reusing TLS connections. (CVE-2016-5420) Marcelo Echeverria and Fernando Muñoz discovered that curl incorrectly reused a connection struct, contrary to expectations. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5421)

CVE-2017-7468 [HIGH] CVE-2017-7468 curl: TLS session resumption client cert bypass CVE-2017-7468 curl: TLS session resumption client cert bypass libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range. External References: https://curl.haxx.se/doc

CVE-2016-5419 [HIGH] CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [epel-7] CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [epel-7] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora EPEL. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. [bug automatically created by: add-tracking-bugs]

CVE-2016-5419 [HIGH] CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 curl: various flaws [fedora-all] CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 curl: various flaws [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fed

CVE-2016-5419 [HIGH] CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [fedora-all] CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions

CVE-2016-5419 [HIGH] CVE-2016-5419 curl: TLS session resumption client cert bypass CVE-2016-5419 curl: TLS session resumption client cert bypass It was reported that libcurl would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate). libcurl supports by default the use of TLS session id/ticket to resume previous TLS sessions to speed up subsequent TLS handshakes. They are used when for any reason an existing TLS connection couldn't be kept alive to make the next handshake faster. External Reference: https://curl.haxx.se/docs/adv_20160803A.html Discussion: Created curl tracking bugs for this issue: Affects: fedora-all [bug 1363