CVE-2017-7468 log

Source
Severity Medium
Remote Yes
Type Certificate verification bypass
Description
libcurl from 7.52.0 to and including 7.53.1 would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate).
This flaw is a regression and identical to CVE-2016-5419 reported on August 3rd 2016, but affecting a different version range.
Group Package Affected Fixed Severity Status Ticket
AVG-243 lib32-curl 7.53.1-1 7.54.0-1 Medium Fixed
AVG-241 curl 7.53.1-2 7.54.0-1 Medium Fixed
AVG-184 lib32-libcurl-gnutls 7.52.1-2 7.53.0-1 Medium Fixed
AVG-183 lib32-libcurl-compat 7.52.1-2 7.53.0-1 Medium Fixed
AVG-181 libcurl-gnutls 7.52.1-1 7.53.0-1 Medium Fixed
AVG-180 libcurl-compat 7.52.1-1 7.53.0-1 Medium Fixed
Date Advisory Group Package Severity Description
29 Apr 2017 ASA-201704-12 AVG-241 curl Medium certificate verification bypass
References
https://curl.haxx.se/docs/adv_20170419.html