Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2016:2330-1

Опубликовано: 16 сент. 2016
Источник: suse-cvrf

Описание

Security update for curl

This update for curl fixes the following issues:

Security issues fixed:

  • CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389)
  • CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390)
  • CVE-2016-5421: use of connection struct after free (bsc#991391)
  • CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420)

Also the following bug was fixed:

  • fixing a performance issue (bsc#991746)

Список пакетов

SUSE Linux Enterprise Desktop 12 SP1
curl-7.37.0-28.1
libcurl4-7.37.0-28.1
libcurl4-32bit-7.37.0-28.1
SUSE Linux Enterprise Server 12 SP1
curl-7.37.0-28.1
libcurl4-7.37.0-28.1
libcurl4-32bit-7.37.0-28.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1
curl-7.37.0-28.1
libcurl4-7.37.0-28.1
libcurl4-32bit-7.37.0-28.1
SUSE Linux Enterprise Software Development Kit 12 SP1
libcurl-devel-7.37.0-28.1

Ссылки

Описание

curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:curl-7.37.0-28.1
SUSE Linux Enterprise Desktop 12 SP1:libcurl4-32bit-7.37.0-28.1
SUSE Linux Enterprise Desktop 12 SP1:libcurl4-7.37.0-28.1
SUSE Linux Enterprise Server 12 SP1:curl-7.37.0-28.1
Ссылки

Описание

curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:curl-7.37.0-28.1
SUSE Linux Enterprise Desktop 12 SP1:libcurl4-32bit-7.37.0-28.1
SUSE Linux Enterprise Desktop 12 SP1:libcurl4-7.37.0-28.1
SUSE Linux Enterprise Server 12 SP1:curl-7.37.0-28.1
Ссылки

Описание

Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors.

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:curl-7.37.0-28.1
SUSE Linux Enterprise Desktop 12 SP1:libcurl4-32bit-7.37.0-28.1
SUSE Linux Enterprise Desktop 12 SP1:libcurl4-7.37.0-28.1
SUSE Linux Enterprise Server 12 SP1:curl-7.37.0-28.1
Ссылки

Описание

curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.

Затронутые продукты
SUSE Linux Enterprise Desktop 12 SP1:curl-7.37.0-28.1
SUSE Linux Enterprise Desktop 12 SP1:libcurl4-32bit-7.37.0-28.1
SUSE Linux Enterprise Desktop 12 SP1:libcurl4-7.37.0-28.1
SUSE Linux Enterprise Server 12 SP1:curl-7.37.0-28.1
Ссылки