oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [SECURITY VULNERABILITY] curl: Re-using connections with wrong client cert

From: cve-assign () mitre org
Date: Mon, 5 Sep 2016 18:41:47 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


libcurl built on top of NSS (Network Security Services) still incorrectly
re-uses client certificates if a certificate from file is used for one TLS
connection but no certificate is set for a subsequent TLS connection.

This problem was caused by an implementation detail of the NSS backend
in libcurl, which is orthogonal to the cause of CVE-2016-5420.


Use CVE-2016-7141 for this additional vulnerability.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXzfQ7AAoJEHb/MwWLVhi2JxoP/jhAg0xmSqjBWgmM9DjHYtgE
5mH15/YJkalUBLA1v3YFThjBxLgUsCDxzYozC282c536nPbGhOJsYJuyUW/U9EO9
+hFC2a3i2Zthe8VQg78eIYN7XvrxsVwJrFlzH8yxtrZmOxgr0u4d+KwDYY6d83yQ
hNvOlnoqKuVuuHI5xx7GciJvQZZJT8HzG5LbrwHX1oJUPPKkULK+47vKzXPdJqyp
kpKkqa4qYxpnlg9CES1lRL5GQzzIaMWhX//qMy7Itkj+E58ww6e1h/YCa1krqRfV
mDv05V+s+kofoPGUrcc2zqfM6PW5795QfJBOPK//vd7ugSTtj+OKhmL/YMwBP9w/
ncDoOFzRm6lykh9s4huDTmV3oNQ/ohbtgRQNBVXl4CQ5G8cfKdjMCgxl6nTJXv74
FIBUmQ9BzZrsSZjgOUYhbGDxTnnPR8H7mMu64nY+nNFDG6mEuTE+5J/QPNkrg5LJ
TLFwQLijgy+ehn00Gp/c252OqgiWlOjVAUXjgEGqLlk4sXFGGu/sC0V89jRcbv/M
L8mqa9E+5uarFRAuQF2aSv9C26ZcHwW6WKjO/T8BsLVYsQSi5RFCddx5NmqysRf7
5Lguj0K9nCVYSkfkhS4Mwrj+sSbpTKDCeiMXfcfGA2gWjX2KWFQqboMoNEVNonDc
0KNha7mMSmK/gVR3SCWO
=LzSU
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: