CVE-2016-5420

Priority
Description
curl and libcurl before 7.50.1 do not check the client certificate when
choosing the TLS connection to reuse, which might allow remote attackers to
hijack the authentication of the connection by leveraging a previously
created connection with a different client certificate.
Assigned-to
mdeslaur
Notes
sarnoldwhen built against NSS another patch is needed, see
http://www.openwall.com/lists/oss-security/2016/09/05/1 for information
http://www.openwall.com/lists/oss-security/2016/09/05/7
Package
Source: curl (LP Ubuntu Debian)
Upstream:released (7.50.1-1)
Ubuntu 12.04 ESM (Precise Pangolin):released (7.22.0-3ubuntu4.16)
Ubuntu 14.04 ESM (Trusty Tahr):released (7.35.0-1ubuntu2.8)
Ubuntu 16.04 LTS (Xenial Xerus):released (7.47.0-1ubuntu2.1)
Patches:
Upstream:https://curl.haxx.se/CVE-2016-5420.patch
More Information

Updated: 2020-03-18 22:45:40 UTC (commit 2ea7df7bd1e69e1e489978d2724a936eb3faa1b8)