CVE-2016-5420 (retired)

Priority
Description
curl and libcurl before 7.50.1 do not check the client certificate when
choosing the TLS connection to reuse, which might allow remote attackers to
hijack the authentication of the connection by leveraging a previously
created connection with a different client certificate.
Notes
 sarnold> when built against NSS another patch is needed, see
  http://www.openwall.com/lists/oss-security/2016/09/05/1 for information
  http://www.openwall.com/lists/oss-security/2016/09/05/7
Assigned-to
mdeslaur
Package
Source: curl (LP Ubuntu Debian)
Upstream:released (7.50.1-1)
Ubuntu 12.04 ESM (Precise Pangolin):released (7.22.0-3ubuntu4.16)
Ubuntu 14.04 LTS (Trusty Tahr):released (7.35.0-1ubuntu2.8)
Ubuntu 16.04 LTS (Xenial Xerus):released (7.47.0-1ubuntu2.1)
Patches:
Upstream:https://curl.haxx.se/CVE-2016-5420.patch
More Information

Updated: 2019-03-26 12:22:11 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)