Security update for curl SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2379-1 Final 1 1 2016-09-25T20:38:19Z current 2016-09-25T20:38:19Z 2016-09-25T20:38:19Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl fixes the following issues: Security issues fixed: - CVE-2016-5419: TLS session resumption client cert bypass (bsc#991389) - CVE-2016-5420: Re-using connections with wrong client cert (bsc#991390) - CVE-2016-5421: use of connection struct after free (bsc#991391) - CVE-2016-7141: Fixed incorrect reuse of client certificates with NSS (bsc#997420) Also the following bug was fixed: - fixing a performance issue (bsc#991746) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html E-Mail link for openSUSE-SU-2016:2379-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 curl-7.37.0-13.1 libcurl-devel-7.37.0-13.1 libcurl-devel-32bit-7.37.0-13.1 libcurl4-7.37.0-13.1 libcurl4-32bit-7.37.0-13.1 curl-7.37.0-13.1 as a component of openSUSE Leap 42.1 libcurl-devel-7.37.0-13.1 as a component of openSUSE Leap 42.1 libcurl-devel-32bit-7.37.0-13.1 as a component of openSUSE Leap 42.1 libcurl4-7.37.0-13.1 as a component of openSUSE Leap 42.1 libcurl4-32bit-7.37.0-13.1 as a component of openSUSE Leap 42.1 curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. CVE-2016-5419 openSUSE Leap 42.1:curl-7.37.0-13.1 openSUSE Leap 42.1:libcurl-devel-32bit-7.37.0-13.1 openSUSE Leap 42.1:libcurl-devel-7.37.0-13.1 openSUSE Leap 42.1:libcurl4-32bit-7.37.0-13.1 openSUSE Leap 42.1:libcurl4-7.37.0-13.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html https://www.suse.com/security/cve/CVE-2016-5419.html CVE-2016-5419 https://bugzilla.suse.com/1033413 SUSE Bug 1033413 https://bugzilla.suse.com/1033442 SUSE Bug 1033442 https://bugzilla.suse.com/991389 SUSE Bug 991389 curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. CVE-2016-5420 openSUSE Leap 42.1:curl-7.37.0-13.1 openSUSE Leap 42.1:libcurl-devel-32bit-7.37.0-13.1 openSUSE Leap 42.1:libcurl-devel-7.37.0-13.1 openSUSE Leap 42.1:libcurl4-32bit-7.37.0-13.1 openSUSE Leap 42.1:libcurl4-7.37.0-13.1 moderate 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html https://www.suse.com/security/cve/CVE-2016-5420.html CVE-2016-5420 https://bugzilla.suse.com/991390 SUSE Bug 991390 https://bugzilla.suse.com/997420 SUSE Bug 997420 Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors. CVE-2016-5421 openSUSE Leap 42.1:curl-7.37.0-13.1 openSUSE Leap 42.1:libcurl-devel-32bit-7.37.0-13.1 openSUSE Leap 42.1:libcurl-devel-7.37.0-13.1 openSUSE Leap 42.1:libcurl4-32bit-7.37.0-13.1 openSUSE Leap 42.1:libcurl4-7.37.0-13.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html https://www.suse.com/security/cve/CVE-2016-5421.html CVE-2016-5421 https://bugzilla.suse.com/991391 SUSE Bug 991391 curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420. CVE-2016-7141 openSUSE Leap 42.1:curl-7.37.0-13.1 openSUSE Leap 42.1:libcurl-devel-32bit-7.37.0-13.1 openSUSE Leap 42.1:libcurl-devel-7.37.0-13.1 openSUSE Leap 42.1:libcurl4-32bit-7.37.0-13.1 openSUSE Leap 42.1:libcurl4-7.37.0-13.1 low Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html https://www.suse.com/security/cve/CVE-2016-7141.html CVE-2016-7141 https://bugzilla.suse.com/991390 SUSE Bug 991390 https://bugzilla.suse.com/997420 SUSE Bug 997420