CVE-2017-7468

Priority
Medium
Description
curl and libcurl between 7.52.0 and 7.53.1 do not prevent TLS
session resumption when the client certificate has changed, which
allows remote attackers to bypass intended restrictions by resuming
a session.
Ubuntu-Description
It was discovered that curl incorrectly handled client certificates
when resuming a TLS session. A remote attacker could use this to hijack
a previously authenticated connection.
References
Bugs
Notes
 sbeattie> reported upstream mitigation:
  Set `CURLOPT_SSL_SESSIONID_CACHE` to 0L when using client certificates
Assigned-to
sbeattie
Package
Source: curl (LP Ubuntu Debian)
Upstream:released (7.52.1-5)
Ubuntu 17.10 (Artful Aardvark):not-affected (7.52.1-5ubuntu1)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected
Ubuntu Core 15.04:not-affected
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Ubuntu 17.04 (Zesty Zapus):released (7.52.1-4ubuntu1.1)
More Information

Updated: 2017-08-11 23:55:56 UTC (commit 13081)