CVE-2016-5420
First published: Mon Aug 01 2016(Updated: )
curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/curl | <0:7.29.0-35.el7 | 0:7.29.0-35.el7 |
| redhat/httpd24-curl | <0:7.61.1-1.el6 | 0:7.61.1-1.el6 |
| redhat/httpd24-httpd | <0:2.4.34-7.el6 | 0:2.4.34-7.el6 |
| redhat/httpd24-nghttp2 | <0:1.7.1-7.el6 | 0:1.7.1-7.el6 |
| redhat/httpd24-curl | <0:7.61.1-1.el7 | 0:7.61.1-1.el7 |
| redhat/httpd24-httpd | <0:2.4.34-7.el7 | 0:2.4.34-7.el7 |
| redhat/httpd24-nghttp2 | <0:1.7.1-7.el7 | 0:1.7.1-7.el7 |
| Debian Debian Linux | =8.0 | |
| Haxx Libcurl | <=7.50.0 | |
| openSUSE Leap | =42.1 | |
| redhat/curl | <7.50.1 | 7.50.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2016-5420 https://nvd.nist.gov/vuln/detail/CVE-2016-5420 https://curl.haxx.se/docs/adv_20160803B.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1362190
- https://access.redhat.com/errata/RHSA-2016:2575
- https://access.redhat.com/errata/RHSA-2016:2957
- https://access.redhat.com/errata/RHSA-2018:3558
- https://access.redhat.com/security/cve/CVE-2016-5420
- http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html
- http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html
- http://rhn.redhat.com/errata/RHSA-2016-2575.html
- http://rhn.redhat.com/errata/RHSA-2016-2957.html
- http://www.debian.org/security/2016/dsa-3638
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/92309
- http://www.securitytracker.com/id/1036537
- http://www.securitytracker.com/id/1036739
- http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.563059
- http://www.ubuntu.com/usn/USN-3048-1
- https://curl.haxx.se/docs/adv_20160803B.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GLPXQQKURBQFM4XM6645VRPTOE2AWG33/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K3GQH4V3XAQ5Z53AMQRDEC3C3UHTW7QR/
- https://security.gentoo.org/glsa/201701-47
- https://source.android.com/security/bulletin/2016-12-01.html
- https://www.tenable.com/security/tns-2016-18
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1363642
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1363643
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1363644
- https://rhn.redhat.com/errata/RHSA-2016-2575.html
- https://rhn.redhat.com/errata/RHSA-2016-2957.html
- https://source.android.com/docs/security/bulletin/2016-12-01 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLPXQQKURBQFM4XM6645VRPTOE2AWG33/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3GQH4V3XAQ5Z53AMQRDEC3C3UHTW7QR/
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/remedy
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-5420
- agent/software-canonical-lookup
- agent/description
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/tags
- agent/event
- collector/android-source
- source/Android
- agent/last-modified-date
- agent/trending
- package-manager/redhat
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/haxx
- canonical/haxx libcurl
- version/haxx libcurl/7.50.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/42.1
- vendor/google
- canonical/google android