Bugzilla – Bug 997420
VUL-1: CVE-2016-7141: curl: Incorrect reuse of client certificates
Last modified: 2018-09-05 11:06:25 UTC
rh#1373229 After testing original CVE-2016-5420 patch, it was discovered that libcurl built on top of NSS (Network Security Services) still incorrectly re-uses client certificates if a certificate from file is used for one TLS connection but no certificate is set for a subsequent TLS connection. The original patch for CVE-2016-5420 has been amended to also contain the attached patch: https://curl.haxx.se/CVE-2016-5420.patch References: https://bugzilla.redhat.com/show_bug.cgi?id=1373229 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7141 http://seclists.org/oss-sec/2016/q3/419
bugbot adjusting priority
(afaik we are not building curl with nss)
This is an autogenerated message for OBS integration: This bug (997420) was mentioned in https://build.opensuse.org/request/show/427061 13.2 / curl
SUSE-SU-2016:2330-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 991389,991390,991391,991746,997420 CVE References: CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): curl-7.37.0-28.1 SUSE Linux Enterprise Server 12-SP1 (src): curl-7.37.0-28.1 SUSE Linux Enterprise Desktop 12-SP1 (src): curl-7.37.0-28.1
openSUSE-SU-2016:2379-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 991389,991390,991391,991746,997420 CVE References: CVE-2016-5419,CVE-2016-5420,CVE-2016-5421,CVE-2016-7141 Sources used: openSUSE Leap 42.1 (src): curl-7.37.0-13.1
SUSE-SU-2016:2449-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 991389,991390,997420 CVE References: CVE-2016-5419,CVE-2016-5420,CVE-2016-7141 Sources used: SUSE OpenStack Cloud 5 (src): curl-7.19.7-1.61.1 SUSE Manager Proxy 2.1 (src): curl-7.19.7-1.61.1 SUSE Manager 2.1 (src): curl-7.19.7-1.61.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): curl-7.19.7-1.61.1 SUSE Linux Enterprise Server 11-SP4 (src): curl-7.19.7-1.61.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): curl-7.19.7-1.61.1 SUSE Linux Enterprise Server 11-SECURITY (src): curl-openssl1-7.19.7-1.61.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): curl-7.19.7-1.61.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): curl-7.19.7-1.61.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): curl-7.19.7-1.61.1
(In reply to Marcus Meissner from comment #2) > (afaik we are not building curl with nss) That's right. We build it against openssl and are thus unaffected by CVE-2016-7141.
SUSE-SU-2016:2700-1: An update that fixes 13 vulnerabilities is now available. Category: security (important) Bug References: 1005633,1005634,1005635,1005637,1005638,1005642,1005645,1005646,997420,998760 CVE References: CVE-2016-5420,CVE-2016-7141,CVE-2016-7167,CVE-2016-8615,CVE-2016-8616,CVE-2016-8617,CVE-2016-8618,CVE-2016-8619,CVE-2016-8620,CVE-2016-8621,CVE-2016-8622,CVE-2016-8623,CVE-2016-8624 Sources used: SUSE Studio Onsite 1.3 (src): curl-7.19.7-1.20.47.2
released