Resolves: CVE-2016-5420 - fix re-using connections with wrong client cert
This commit is contained in:
parent
22a15a2535
commit
8ef834caac
29
0010-curl-7.47.1-CVE-2016-5420.patch
Normal file
29
0010-curl-7.47.1-CVE-2016-5420.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From d684e3b136fb77339864d5e48223dea95e7f9ce5 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Sun, 31 Jul 2016 00:51:48 +0200
|
||||
Subject: [PATCH] TLS: only reuse connections with the same client cert
|
||||
|
||||
CVE-2016-5420
|
||||
Bug: https://curl.haxx.se/docs/adv_20160803B.html
|
||||
|
||||
Upstream-commit: 11ec5ad4352bba384404c56e77c7fab9382fd22d
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/vtls/vtls.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
|
||||
index 36465a7..7a3ba71 100644
|
||||
--- a/lib/vtls/vtls.c
|
||||
+++ b/lib/vtls/vtls.c
|
||||
@@ -99,6 +99,7 @@ Curl_ssl_config_matches(struct ssl_config_data* data,
|
||||
(data->verifyhost == needle->verifyhost) &&
|
||||
safe_strequal(data->CApath, needle->CApath) &&
|
||||
safe_strequal(data->CAfile, needle->CAfile) &&
|
||||
+ safe_strequal(data->clientcert, needle->clientcert) &&
|
||||
safe_strequal(data->random_file, needle->random_file) &&
|
||||
safe_strequal(data->egdsocket, needle->egdsocket) &&
|
||||
safe_strequal(data->cipher_list, needle->cipher_list))
|
||||
--
|
||||
2.5.5
|
||||
|
@ -19,6 +19,9 @@ Patch8: 0008-curl-7.47.1-CVE-2016-5421.patch
|
||||
# fix TLS session resumption client cert bypass (CVE-2016-5419)
|
||||
Patch9: 0009-curl-7.47.1-CVE-2016-5419.patch
|
||||
|
||||
# fix re-using connections with wrong client cert (CVE-2016-5420)
|
||||
Patch10: 0010-curl-7.47.1-CVE-2016-5420.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -134,6 +137,7 @@ documentation of the library, too.
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch101 -p1
|
||||
@ -247,6 +251,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%changelog
|
||||
* Wed Aug 03 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-6
|
||||
- fix re-using connections with wrong client cert (CVE-2016-5420)
|
||||
- fix TLS session resumption client cert bypass (CVE-2016-5419)
|
||||
- fix use of connection struct after free (CVE-2016-5421)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user