curl-users
[SECURITY ADVISORY] curl: Incorrect reuse of client certificates
From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 7 Sep 2016 13:39:36 +0200 (CEST)
Date: Wed, 7 Sep 2016 13:39:36 +0200 (CEST)
Incorrect reuse of client certificates
======================================
Project cURL Security Advisory, September 7th 2016 -
[Permalink](https://curl.haxx.se/docs/adv_20160907.html)
VULNERABILITY
-------------
libcurl built on top of NSS (Network Security Services) incorrectly re-used
client certificates if a certificate from file was used for one TLS connection
but no certificate set for a subsequent TLS connection.
While the symptoms are similar to CVE-2016-5420 (Re-using connection with wrong
client cert), this vulnerability was caused by an implementation detail of the
NSS backend in libcurl, which is orthogonal to the cause of CVE-2016-5420.
We are not aware of any exploit of this flaw.
INFO
---- This flaw also affects the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-7141 to this issue. AFFECTED VERSIONS ----------------- This flaw is present in curl and libcurl only if they are built with the support for NSS and only if the libnsspem.so library is available at run-time. - Affected versions: libcurl 7.19.6 to and including 7.50.1 - Not affected versions: libcurl >= 7.50.2 libcurl is used by many applications, but not always advertised as such! THE SOLUTION ------------ A fix for this flaw is included in libcurl 7.50.2 via [commit `curl-7_50_2~32`](https://github.com/curl/curl/commit/curl-7_50_2~32). For older releases of libcurl there is a [patch for CVE-2016-7141](https://curl.haxx.se/CVE-2016-7141.patch). RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Apply the patch on the source code of libcurl and rebuild. B - Configure libcurl to use a different TLS backend and rebuild. C - Use certificates from NSS database instead of loading them from files. TIME LINE --------- This flaw was reported by Red Hat on August 22nd. The patch fixing the flaw was published on September 5th. CVE-2016-7141 was assigned to this flaw on September 6th. This advisory was published on September 7th. CREDITS ------- Reported by Red Hat. Security advisory coordinated by Daniel Stenberg. Thanks a lot! -- / daniel.haxx.se ------------------------------------------------------------------- List admin: https://cool.haxx.se/list/listinfo/curl-users FAQ: https://curl.haxx.se/docs/faq.html Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2016-09-07