ASA-201704-12 log generated external raw
[ASA-201704-12] curl: certificate verification bypass |
---|
Arch Linux Security Advisory ASA-201704-12
==========================================
Severity: Medium
Date : 2017-04-29
CVE-ID : CVE-2017-7468
Package : curl
Type : certificate verification bypass
Remote : Yes
Link : https://security.archlinux.org/AVG-241
Summary
=======
The package curl before version 7.54.0-1 is vulnerable to certificate
verification bypass.
Resolution
==========
Upgrade to 7.54.0-1.
# pacman -Syu "curl>=7.54.0-1"
The problem has been fixed upstream in version 7.54.0.
Workaround
==========
None.
Description
===========
libcurl from 7.52.0 to and including 7.53.1 would attempt to resume a
TLS session even if the client certificate had changed. That is
unacceptable since a server by specification is allowed to skip the
client certificate check on resume, and may instead use the old
identity which was established by the previous certificate (or no
certificate).
This flaw is a regression and identical to CVE-2016-5419 reported on
August 3rd 2016, but affecting a different version range.
Impact
======
An attacker can bypass a client certificate check by taking advantage
of TLS session resumption to reuse a previously established session.
References
==========
https://curl.haxx.se/docs/adv_20170419.html
https://security.archlinux.org/CVE-2017-7468
|