Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 7 Sep 2016 12:47:09 +0000
From:      Gerard Seibert <carmel_ny@outlook.com>
To:        "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject:   libcurl vulnerability
Message-ID:  <DM3PR20MB0843BC5CC1D191F0D4F3A04480F80@DM3PR20MB0843.namprd20.prod.outlook.com>

Next in thread | Raw E-Mail | Index | Archive | Help
Does this vulnerability affect FreeBSD?

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Incorrect reuse of client certificates

Project cURL Security Advisory, September 7th 2016 - Permalink
VULNERABILITY

libcurl built on top of NSS (Network Security Services) incorrectly
re-used client certificates if a certificate from file was used for one
TLS connection but no certificate set for a subsequent TLS connection.

While the symptoms are similar to CVE-2016-5420 (Re-using connection
with wrong client cert), this vulnerability was caused by an
implementation detail of the NSS backend in libcurl, which is
orthogonal to the cause of CVE-2016-5420.

We are not aware of any exploit of this flaw.
INFO

This flaw also affects the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2016-7141 to this issue. AFFECTED VERSIONS

This flaw is present in curl and libcurl only if they are built with
the support for NSS and only if the libnsspem.so library is available
at run-time.

    Affected versions: libcurl 7.19.6 to and including 7.50.1
    Not affected versions: libcurl >=3D 7.50.2

libcurl is used by many applications, but not always advertised as such!
THE SOLUTION

A fix for this flaw is included in libcurl 7.50.2 via commit
curl-7_50_2~32. For older releases of libcurl there is a patch for
CVE-2016-7141. RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order
of preference:

A - Apply the patch on the source code of libcurl and rebuild.

B - Configure libcurl to use a different TLS backend and rebuild.

C - Use certificates from NSS database instead of loading them from
files. TIME LINE

This flaw was reported by Red Hat on August 22nd. The patch fixing the
flaw was published on September 5th. CVE-2016-7141 was assigned to this
flaw on September 6th. This advisory was published on September 7th.
CREDITS

Reported by Red Hat. Security advisory coordinated by Daniel Stenberg.

Thanks a lot!

--=20
Carmel



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?DM3PR20MB0843BC5CC1D191F0D4F3A04480F80>