MGASA-2016-0285

Description

Updated curl packages fix security vulnerability libcurl before 7.50.1 would attempt to resume a TLS session even if the client certificate had changed. That is unacceptable since a server by specification is allowed to skip the client certificate check on resume, and may instead use the old identity which was established by the previous certificate (or no certificate) (CVE-2016-5419). In libcurl before 7.50.1, when using a client certificate for a connection that was then put into the connection pool, that connection could then wrongly get reused in a subsequent request to that same server. This mistakenly using the wrong connection could lead to applications sending requests to the wrong realms of the server using authentication that it wasn't supposed to have for those operations (CVE-2016-5420). libcurl before 7.50.1 is vulnerable to a use-after-free flaw in curl_easy_perform() (CVE-2016-5421).

Affected Systems

• mageia•curl

  < 7.40.0-3.4.mga5

References (5)

• https://advisories.mageia.org/MGASA-2016-0285.html
• https://bugs.mageia.org/show_bug.cgi?id=19123
• https://curl.haxx.se/docs/adv_20160803A.html
• https://curl.haxx.se/docs/adv_20160803B.html
• https://curl.haxx.se/docs/adv_20160803C.html