Security update for curl SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:2227-1 Final 1 1 2016-09-02T13:01:53Z current 2016-09-02T13:01:53Z 2016-09-02T13:01:53Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for curl This update for curl fixes the following issues: - fixing a performance regression with FTP (boo#991746) - TLS session resumption client cert bypass (boo#991389, CVE-2016-5419) - Re-using connections with wrong client cert (boo#991390, CVE-2016-5420) - use of connection struct after free (boo#991391, CVE-2016-5421) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html E-Mail link for openSUSE-SU-2016:2227-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 curl-7.42.1-25.1 curl-debuginfo-7.42.1-25.1 curl-debugsource-7.42.1-25.1 libcurl-devel-7.42.1-25.1 libcurl-devel-32bit-7.42.1-25.1 libcurl4-7.42.1-25.1 libcurl4-32bit-7.42.1-25.1 libcurl4-debuginfo-7.42.1-25.1 libcurl4-debuginfo-32bit-7.42.1-25.1 curl-7.42.1-25.1 as a component of openSUSE 13.2 curl-debuginfo-7.42.1-25.1 as a component of openSUSE 13.2 curl-debugsource-7.42.1-25.1 as a component of openSUSE 13.2 libcurl-devel-7.42.1-25.1 as a component of openSUSE 13.2 libcurl-devel-32bit-7.42.1-25.1 as a component of openSUSE 13.2 libcurl4-7.42.1-25.1 as a component of openSUSE 13.2 libcurl4-32bit-7.42.1-25.1 as a component of openSUSE 13.2 libcurl4-debuginfo-7.42.1-25.1 as a component of openSUSE 13.2 libcurl4-debuginfo-32bit-7.42.1-25.1 as a component of openSUSE 13.2 curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session. CVE-2016-5419 openSUSE 13.2:curl-7.42.1-25.1 openSUSE 13.2:curl-debuginfo-7.42.1-25.1 openSUSE 13.2:curl-debugsource-7.42.1-25.1 openSUSE 13.2:libcurl-devel-32bit-7.42.1-25.1 openSUSE 13.2:libcurl-devel-7.42.1-25.1 openSUSE 13.2:libcurl4-32bit-7.42.1-25.1 openSUSE 13.2:libcurl4-7.42.1-25.1 openSUSE 13.2:libcurl4-debuginfo-32bit-7.42.1-25.1 openSUSE 13.2:libcurl4-debuginfo-7.42.1-25.1 moderate 5.7 AV:N/AC:M/Au:N/C:P/I:P/A:N Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html https://www.suse.com/security/cve/CVE-2016-5419.html CVE-2016-5419 https://bugzilla.suse.com/1033413 SUSE Bug 1033413 https://bugzilla.suse.com/1033442 SUSE Bug 1033442 https://bugzilla.suse.com/991389 SUSE Bug 991389 curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate. CVE-2016-5420 openSUSE 13.2:curl-7.42.1-25.1 openSUSE 13.2:curl-debuginfo-7.42.1-25.1 openSUSE 13.2:curl-debugsource-7.42.1-25.1 openSUSE 13.2:libcurl-devel-32bit-7.42.1-25.1 openSUSE 13.2:libcurl-devel-7.42.1-25.1 openSUSE 13.2:libcurl4-32bit-7.42.1-25.1 openSUSE 13.2:libcurl4-7.42.1-25.1 openSUSE 13.2:libcurl4-debuginfo-32bit-7.42.1-25.1 openSUSE 13.2:libcurl4-debuginfo-7.42.1-25.1 moderate 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html https://www.suse.com/security/cve/CVE-2016-5420.html CVE-2016-5420 https://bugzilla.suse.com/991390 SUSE Bug 991390 https://bugzilla.suse.com/997420 SUSE Bug 997420 Use-after-free vulnerability in libcurl before 7.50.1 allows attackers to control which connection is used or possibly have unspecified other impact via unknown vectors. CVE-2016-5421 openSUSE 13.2:curl-7.42.1-25.1 openSUSE 13.2:curl-debuginfo-7.42.1-25.1 openSUSE 13.2:curl-debugsource-7.42.1-25.1 openSUSE 13.2:libcurl-devel-32bit-7.42.1-25.1 openSUSE 13.2:libcurl-devel-7.42.1-25.1 openSUSE 13.2:libcurl4-32bit-7.42.1-25.1 openSUSE 13.2:libcurl4-7.42.1-25.1 openSUSE 13.2:libcurl4-debuginfo-32bit-7.42.1-25.1 openSUSE 13.2:libcurl4-debuginfo-7.42.1-25.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html https://www.suse.com/security/cve/CVE-2016-5421.html CVE-2016-5421 https://bugzilla.suse.com/1017590 SUSE Bug 1017590 https://bugzilla.suse.com/991391 SUSE Bug 991391