curl: Incorrect reuse of client certificates (CVE-2016-7141)
libcurl built on top of NSS (Network Security Services) incorrectly
re-used client certificates if a
certificate from file was used for one TLS connection but no certificate
set for a subsequent TLS connection.
While the symptoms are similar to CVE-2016-5420 (Re-using connection
with wrong client cert),
this vulnerability was caused by an implementation detail of the NSS
backend in libcurl, which is orthogonal to the cause of CVE-2016-5420.
Affected versions:
libcurl 7.19.6 to and including 7.50.1
Reference:
https://curl.haxx.se/docs/adv\_20160907.html
Patch:
https://curl.haxx.se/CVE-2016-7141.patch
(from redmine: issue id 6133, created on 2016-09-12, closed on 2016-10-14)
- Relations:
- child #6134 (closed)
- child #6135 (closed)
- child #6136 (closed)
- child #6137 (closed)