From owner-freebsd-questions@freebsd.org Wed Sep 7 12:48:16 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1B1B2BC6185 for ; Wed, 7 Sep 2016 12:48:16 +0000 (UTC) (envelope-from carmel_ny@outlook.com) Received: from BAY004-OMC4S21.hotmail.com (bay004-omc4s21.hotmail.com [65.54.190.223]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "*.outlook.com", Issuer "Microsoft IT SSL SHA2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E074E127D for ; Wed, 7 Sep 2016 12:48:15 +0000 (UTC) (envelope-from carmel_ny@outlook.com) Received: from NAM03-DM3-obe.outbound.protection.outlook.com ([65.54.190.201]) by BAY004-OMC4S21.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Wed, 7 Sep 2016 05:47:10 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=JtUJFnmQg38Ko9X9JIja8Xghetq6vdxUQM1F3O+sac8=; b=WGPHj+EuXk++nP2LjZ+GSJPhcuQwUjO4EDxuPx2SLwciKRrh5N4TZgkSk2jnYM4P7OHV4fcfWyOyIL6iyK4mIavRgr2QpQqf/n4UjYmFrpwC8O23EsnstQw6aBawmA1CGIFHmSvZ8HIT+RVmuAFKBgCkaVn4wTKbUMY+MIvirqrSrBtFCh3zq+2ZSXHC28cvV3MKnil3Xm1d6UZDQ17isCrgvTOHvQz5PBMYOXnMvdQoI4S7BnkFqbHFHIXdQuhfmCFcI+rMgzEp0NR0QpR3lUFoBwlNBOOedoIIW5EHJUxHvmukSSMW0Jo2+DeXX9yxFEQM6J+5o00T7h2UARBIPA== Received: from BY2NAM03FT008.eop-NAM03.prod.protection.outlook.com (10.152.84.60) by BY2NAM03HT109.eop-NAM03.prod.protection.outlook.com (10.152.85.95) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.609.6; Wed, 7 Sep 2016 12:47:09 +0000 Received: from DM3PR20MB0843.namprd20.prod.outlook.com (10.152.84.58) by BY2NAM03FT008.mail.protection.outlook.com (10.152.84.101) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.609.6 via Frontend Transport; Wed, 7 Sep 2016 12:47:09 +0000 Received: from DM3PR20MB0843.namprd20.prod.outlook.com ([10.166.166.15]) by DM3PR20MB0843.namprd20.prod.outlook.com ([10.166.166.15]) with mapi id 15.01.0599.010; Wed, 7 Sep 2016 12:47:09 +0000 From: Gerard Seibert To: "freebsd-questions@freebsd.org" Subject: libcurl vulnerability Thread-Topic: libcurl vulnerability Thread-Index: AQHSCQXylNWLdEXD30+N2xvF34LAeg== Date: Wed, 7 Sep 2016 12:47:09 +0000 Message-ID: Reply-To: "freebsd-questions@freebsd.org" Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=softfail (sender IP is 10.152.84.58) smtp.mailfrom=outlook.com; freebsd.org; dkim=none (message not signed) header.d=none;freebsd.org; dmarc=fail action=none header.from=outlook.com; received-spf: SoftFail (protection.outlook.com: domain of transitioning outlook.com discourages use of 10.152.84.58 as permitted sender) x-incomingtopheadermarker: TopHeader x-ms-exchange-messagesentrepresentingtype: 1 x-incomingheadercount: 34 x-eopattributedmessage: 0 x-microsoft-exchange-diagnostics: 1; BY2NAM03HT109; 6:DAJ0xL6ZVhZ7YlHzZkN36u2ThdFQxnWtgZCASh76QlbMFSpYO7jDQ5QNS2ioRPUw115GcgB0BnjTBKH4wrBnhbvB5O//YPhcfxvpqkZEqNCYXUhT85wbJ6D/DsPruZxaXikQdN5FM2lptXBsffnQ7BZ5rMFGX7AID0dVZD0dt+B0T+FP8zMRnVmOWuh/9HVZ6WKNSNkVgGu0sqR6aFvoWNhDXKYRo9xmgIHrH3R+/bbUk+C2KkMfDUGUAXxWOstgKxcZ5lSwWowJ8dTtqSxjjI5ECMViSfdkuTAGxjiUYwGzQ0UNT2knUjcQFr4f++jb; 5:tk7yaDDY4vj+4EMMG3tbGvB4AUjT9rJoBqn/VWRHRN6jDpulB3F/WVPeJt2fYoavqQ9KPndGGVoHELZz8gKCY1vpp2DrkVWIUBlu2fUAL2E8WVFaQjubSYsMuEsXzhjtRGl+41fPF+0FwU68UBFO6g==; 24:FK67rU9mSJRu8tpnyNJMtAWVkAepVw4pBRvaALAzcAUu5GfNsQboryEXqci3Wf+oJahmkU4bLTe2jtO3nlSS/9noh/ojI0mzLMdkeha7ED4=; 7:yIpCrUYs8q2mVQGz5bhzzPPQxQ+9aQNiGiLAakQDnj4z8DUkD7r9uAJ71yVhq0GFzHS+jKRgrn8OApf92BQfNERUaxhiJFkPxz7YJR05yJ/oRAlkeIMM/Ca1ZEUjObaj12WOeHJ0rkUYvSU5w0bEW5LM0Uq4j0Zsh93duHq9wXazgAYOU8elKqSYmp21U0FP9DILnvzgmp89kwPP92Fglgd8hluqedZMGDNgKx8CnSRos5x5CWoRkOXZpP67QRqV x-forefront-antispam-report: EFV:NLI; SFV:NSPM; SFS:(10019020)(98900003); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2NAM03HT109; H:DM3PR20MB0843.namprd20.prod.outlook.com; FPR:; SPF:None; LANG:en; x-ms-office365-filtering-correlation-id: f97771c4-5776-428e-7d11-08d3d71d13ea x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(1601124038)(1603103081)(1601125047); SRVR:BY2NAM03HT109; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(432015012)(82015046); SRVR:BY2NAM03HT109; BCL:0; PCL:0; RULEID:; SRVR:BY2NAM03HT109; x-forefront-prvs: 0058ABBBC7 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-ID: <897405777AB71A408214EF8E9619A10B@namprd20.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2016 12:47:09.0370 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2NAM03HT109 X-OriginalArrivalTime: 07 Sep 2016 12:47:11.0012 (UTC) FILETIME=[F364C640:01D20905] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Sep 2016 12:48:16 -0000 Does this vulnerability affect FreeBSD? =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Incorrect reuse of client certificates Project cURL Security Advisory, September 7th 2016 - Permalink VULNERABILITY libcurl built on top of NSS (Network Security Services) incorrectly re-used client certificates if a certificate from file was used for one TLS connection but no certificate set for a subsequent TLS connection. While the symptoms are similar to CVE-2016-5420 (Re-using connection with wrong client cert), this vulnerability was caused by an implementation detail of the NSS backend in libcurl, which is orthogonal to the cause of CVE-2016-5420. We are not aware of any exploit of this flaw. INFO This flaw also affects the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2016-7141 to this issue. AFFECTED VERSIONS This flaw is present in curl and libcurl only if they are built with the support for NSS and only if the libnsspem.so library is available at run-time. Affected versions: libcurl 7.19.6 to and including 7.50.1 Not affected versions: libcurl >=3D 7.50.2 libcurl is used by many applications, but not always advertised as such! THE SOLUTION A fix for this flaw is included in libcurl 7.50.2 via commit curl-7_50_2~32. For older releases of libcurl there is a patch for CVE-2016-7141. RECOMMENDATIONS We suggest you take one of the following actions immediately, in order of preference: A - Apply the patch on the source code of libcurl and rebuild. B - Configure libcurl to use a different TLS backend and rebuild. C - Use certificates from NSS database instead of loading them from files. TIME LINE This flaw was reported by Red Hat on August 22nd. The patch fixing the flaw was published on September 5th. CVE-2016-7141 was assigned to this flaw on September 6th. This advisory was published on September 7th. CREDITS Reported by Red Hat. Security advisory coordinated by Daniel Stenberg. Thanks a lot! --=20 Carmel