SB2016080405 - Cryptographic issues in curl (Alpine package)
Published: August 4, 2016
Security Bulletin ID
SB2016080405
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cryptographic issues (CVE-ID: CVE-2016-5419)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=e57c1f8b95e9a6aecc75e9eaae6c7bf9e259adb6
- https://git.alpinelinux.org/aports/commit/?id=7079fe21530ae1c8147925d8b591131b786ab2e9
- https://git.alpinelinux.org/aports/commit/?id=619d9f8608068fab555a9a54e6154eb798eb5c2c
- https://git.alpinelinux.org/aports/commit/?id=39696e7a1a7079578ea07cb9514fd0c50105340e
- https://git.alpinelinux.org/aports/commit/?id=0b5317d5717ad95fbe3c5737438b3f62f5457f61
- https://git.alpinelinux.org/aports/commit/?id=773b3cce8cf0ef9f65aa00ac6985aaba3f582b2c
- https://git.alpinelinux.org/aports/commit/?id=e2a41181980948dc15f6b20a9b6980444f9f73df
- https://git.alpinelinux.org/aports/commit/?id=4bdd777b8634c3c2ef8d4bb6254f22cea78b46d6