CVE-2016-7141 in Ubuntu

CVE-2016-7141

Priority

Description

curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so
library is available at runtime, allow remote attackers to hijack the
authentication of a TLS connection by leveraging reuse of a previously
loaded client certificate from file for a connection for which no
certificate has been set, a different vulnerability than CVE-2016-5420.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7141
http://seclists.org/oss-sec/2016/q3/419
https://curl.haxx.se/docs/adv_20160907.html
https://ubuntu.com/security/notices/USN-3123-1

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836918

Assigned-to

mdeslaur

Notes

tyhicks

only affects libcurl3-nss which is not widely used libcurl3 (OpenSSL
based)

Package

Source: curl (LP Ubuntu Debian)

Upstream:	released (7.50.2)
Ubuntu 16.04 ESM:	released (7.47.0-1ubuntu2.2)
Ubuntu 14.04 ESM:	released (7.35.0-1ubuntu2.10)

Patches:

Upstream:

https://curl.haxx.se/CVE-2016-7141.patch

More Information

Updated: 2022-04-13 12:30:19 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)