Lucene search

K
osvGoogleOSV:DSA-3638-1
HistoryAug 03, 2016 - 12:00 a.m.

curl - security update

2016-08-0300:00:00
Google
osv.dev
23
curl
security update
tls
client certificates
use-after-free
software upgrade

EPSS

0.008

Percentile

82.5%

Several vulnerabilities were discovered in cURL, an URL transfer library:

  • CVE-2016-5419
    Bru Rom discovered that libcurl would attempt to resume a TLS session
    even if the client certificate had changed.
  • CVE-2016-5420
    It was discovered that libcurl did not consider client certificates
    when reusing TLS connections.
  • CVE-2016-5421
    Marcelo Echeverria and Fernando MuΔ‚Δ…oz discovered that libcurl was
    vulnerable to a use-after-free flaw.

For the stable distribution (jessie), these problems have been fixed in
version 7.38.0-4+deb8u4.

For the unstable distribution (sid), these problems have been fixed in
version 7.50.1-1.

We recommend that you upgrade your curl packages.