CVE-2016-5420 (retired)

Priority
Description
curl and libcurl before 7.50.1 do not check the client certificate when
choosing the TLS connection to reuse, which might allow remote attackers to
hijack the authentication of the connection by leveraging a previously
created connection with a different client certificate.
Assigned-to
mdeslaur
Notes
sarnoldwhen built against NSS another patch is needed, see
http://www.openwall.com/lists/oss-security/2016/09/05/1 for information
http://www.openwall.com/lists/oss-security/2016/09/05/7
Package
Source: curl (LP Ubuntu Debian)
Upstream:released (7.50.1-1)
Ubuntu 12.04 ESM (Precise Pangolin):released (7.22.0-3ubuntu4.16)
Ubuntu 16.04 LTS (Xenial Xerus):released (7.47.0-1ubuntu2.1)
Patches:
Upstream:https://curl.haxx.se/CVE-2016-5420.patch
More Information

Updated: 2019-10-09 07:56:54 UTC (commit 33aea848a182c0afcd0a3f927a01a7ecd9a061ee)