CVE-2016-5420: curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the…

CVE-2016-5420 [HIGH] CVE-2016-5420: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite Apple Security Update: About the security content of macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite Product: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite CVE: CVE-2016-5420 Component: CVE-2016-5420

CVE-2016-5420 [HIGH] CVE-2016-5420: Android Security Bulletin 2016-12-01 CVE: CVE-2016-5420 Severity: HIGH Affected AOSP versions: 7 Android Security Bulletin 2016-12-01 CVE: CVE-2016-5420 Severity: HIGH Affected AOSP versions: 7.0 References: A-31271247

CVE-2016-7141 [HIGH] CWE-295 curl: Incorrect reuse of client certificates curl: Incorrect reuse of client certificates curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. It was found that the libcurl library using the NSS (Network Security Services) library as TLS/SSL backend incorrectly re-used client certificates for subsequent TLS connections in certain cases. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. Package: rh-dotnetcore10-curl

CVE-2016-5419 [HIGH] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Bru Rom discovered that curl incorrectly handled client certificates when resuming a TLS session. (CVE-2016-5419) It was discovered that curl incorrectly handled client certificates when reusing TLS connections. (CVE-2016-5420) Marcelo Echeverria and Fernando Muñoz discovered that curl incorrectly reused a connection struct, contrary to expectations. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5421) Instructions: In general, a standard system update will make all the necessary changes.

CVE-2016-5420 [HIGH] CWE-295 curl: Re-using connection with wrong client cert curl: Re-using connection with wrong client cert curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. It was found that the libcurl library did not check the client certificate when choosing the TLS connection to reuse. An attacker could potentially use this flaw to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. Package: rh-dotnetcore10-curl (.NET Core 1.0 on Red Hat Enterprise Linux) - Out of support scope Package: rh-dotnetcore11-curl (.NET Core 1.1 on Red Hat Enterprise Linux) - Out of

CVE-2016-7141 [HIGH] CVE-2016-7141: curl - curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library... curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. Scope: local bookworm: resolved (fixed in 7.51.0-1) bullseye: resolved (fixed in 7.51.0-1) forky: resolved (fixed in 7.51.0-1) sid: resolved (fixed in 7.51.0-1) trixie: resolved (fixed in 7.51.0-1)

CVE-2016-5420 [HIGH] CVE-2016-5420: curl - curl and libcurl before 7.50.1 do not check the client certificate when choosing... curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. Scope: local bookworm: resolved (fixed in 7.50.1-1) bullseye: resolved (fixed in 7.50.1-1) forky: resolved (fixed in 7.50.1-1) sid: resolved (fixed in 7.50.1-1) trixie: resolved (fixed in 7.50.1-1)

CVE-2016-5420 [HIGH] CWE-285 GHSA-qpjh-642g-hgh8: curl and libcurl before 7 curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.

CVE-2016-7141 [HIGH] CWE-287 GHSA-vx32-35rm-8jq5: curl and libcurl before 7 curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.

CVE-2016-7141 [HIGH] CVE-2016-7141: curl and libcurl before 7 curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.

CVE-2016-5420 [HIGH] CVE-2016-5420: curl and libcurl before 7 curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.

CVE-2016-5419 [HIGH] curl vulnerabilities curl vulnerabilities Bru Rom discovered that curl incorrectly handled client certificates when resuming a TLS session. (CVE-2016-5419) It was discovered that curl incorrectly handled client certificates when reusing TLS connections. (CVE-2016-5420) Marcelo Echeverria and Fernando Muñoz discovered that curl incorrectly reused a connection struct, contrary to expectations. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5421)

CVE-2016-7141 [HIGH] CVE-2016-7141 curl: Incorrect reuse of client certificates CVE-2016-7141 curl: Incorrect reuse of client certificates After testing original CVE-2016-5420 patch, it was discovered that libcurl built on top of NSS (Network Security Services) still incorrectly re-uses client certificates if a certificate from file is used for one TLS connection but no certificate is set for a subsequent TLS connection. The original patch for CVE-2016-5420 has been amended to also contain the attached patch: https://curl.haxx.se/CVE-2016-5420.patch Discussion: Created curl tracking bugs for this issue: Affects: fedora-all [bug 1373230] --- Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1373231] Affects: epel-7 [bug 1373232] --- CVE assignment: http://seclists.org/oss-sec/2016/q3/419 --- This issue has been addressed in the fol

CVE-2016-5419 [HIGH] CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [epel-7] CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [epel-7] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora EPEL. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. [bug automatically created by: add-tracking-bugs]

CVE-2016-5419 [HIGH] CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 curl: various flaws [fedora-all] CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 curl: various flaws [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions of Fed

CVE-2016-5419 [HIGH] CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [fedora-all] CVE-2016-5419 CVE-2016-5420 CVE-2016-5421 mingw-curl: various flaws [fedora-all] This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When submitting as an update, use the fedpkg template provided in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the fedpkg commit message. NOTE: this issue affects multiple supported versions

CVE-2016-5420 [HIGH] CVE-2016-5420 curl: Re-using connection with wrong client cert CVE-2016-5420 curl: Re-using connection with wrong client cert It was reported that libcurl did not consider client certificates when reusing TLS connections. libcurl supports reuse of established connections for subsequent requests. It does this by keeping a few previous connections "alive" in a connection pool so that a subsequent request that can use one of them instead of creating a new connection will do so. When using a client certificate for a connection that was then put into the connection pool, that connection could then wrongly get reused in a subsequent request to that same server that either didn't use a client certificate at all or that asked to use a different client certificate thus trying to tell the user that it is a different entity. This mistakenly using the wrong co