REDHAT-BUG-1373229
First published: Mon Sep 05 2016(Updated: )
After testing original <a href="https://access.redhat.com/security/cve/CVE-2016-5420">CVE-2016-5420</a> patch, it was discovered that libcurl built on top of NSS (Network Security Services) still incorrectly re-uses client certificates if a certificate from file is used for one TLS connection but no certificate is set for a subsequent TLS connection. The original patch for <a href="https://access.redhat.com/security/cve/CVE-2016-5420">CVE-2016-5420</a> has been amended to also contain the attached patch: <a href="https://curl.haxx.se/CVE-2016-5420.patch">https://curl.haxx.se/CVE-2016-5420.patch</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| libcurl 3 with GnuTLS support | ||
| Mozilla Network Security Services (NSS) |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2016-5420
- https://curl.haxx.se/CVE-2016-5420.patch
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1373230
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1373231
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1373232
- http://seclists.org/oss-sec/2016/q3/419
- https://rhn.redhat.com/errata/RHSA-2016-2575.html
- https://rhn.redhat.com/errata/RHSA-2016-2957.html
- https://curl.haxx.se/docs/adv_20160907.html
- https://access.redhat.com/errata/RHSA-2018:3558
- https://bugzilla.redhat.com/show_bug.cgi?id=1373229
Frequently Asked Questions
What is the severity of REDHAT-BUG-1373229?
The severity of REDHAT-BUG-1373229 is critical due to the potential for client certificate re-use vulnerabilities leading to unauthorized access.
How do I fix REDHAT-BUG-1373229?
To fix REDHAT-BUG-1373229, ensure you are using the latest version of libcurl with the appropriate patches applied.
What software is affected by REDHAT-BUG-1373229?
REDHAT-BUG-1373229 affects libcurl and Mozilla Network Security Services (NSS) configurations.
What vulnerabilities does REDHAT-BUG-1373229 relate to?
REDHAT-BUG-1373229 is associated with CVE-2016-5420, which addresses issues with client certificate re-use.
Is there a workaround for REDHAT-BUG-1373229?
A temporary workaround for REDHAT-BUG-1373229 includes explicitly managing the client certificates to avoid re-use.
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-7141
- agent/severity
- agent/references
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/curl
- canonical/libcurl 3 with gnutls support
- vendor/mozilla
- canonical/mozilla network security services (nss)