5 matches found
CURL-CVE-2021-22901 TLS session caching disaster
libcurl can be tricked into using already freed memory when a new TLS session is negotiated or a client certificate is requested on an existing connection. For example, this can happen when a TLS server requests a client certificate on a connection that was established without one. A malicious...
curl: CVE-2021-22901: TLS session caching disaster
Summary: lib/vtls/openssl.c osslconnectstep1 sets up the osslnewsessioncb sessionid callback with SSLCTXsesssetnewcb, and adds association from dataidx and connectdataidx to current conn and data respectively: SSLCTXsetsessioncachemodebackend-ctx, SSLSESSCACHECLIENT | SSLSESSCACHENOINTERNAL;...
CVE-2013-6662
Google Chrome caches TLS sessions before certificate validation occurs...
UBUNTU-CVE-2013-6662
Google Chrome caches TLS sessions before certificate validation occurs...
CURL-CVE-2014-8151 Secure Transport certificate check bypass
libcurl stores TLS Session IDs in its associated Session ID cache when it connects to TLS servers. In subsequent connects it reuses the entry in the cache to resume the TLS connection faster than when doing a full TLS handshake. The actual implementation for the Session ID caching varies dependin...