[SECURITY] [DLA 616-1] curl security update

2016-09-0911:48:43

lists.debian.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.2 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.2%

JSON

Package : curl
Version : 7.26.0-1+wheezy15
CVE ID : CVE-2016-7141
Debian Bug : 836918

It was discovered that libcurl built on top of NSS (Network Security
Services) incorrectly re-used client certificates if a certificate from
file was used for one TLS connection but no certificate set for a
subsequent TLS connection.

For Debian 7 "Wheezy", this problem has been fixed in version
7.26.0-1+wheezy15.

We recommend that you upgrade your curl packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8i386libcurl3-gnutls< 7.38.0-4+deb8u13libcurl3-gnutls_7.38.0-4+deb8u13_i386.deb
Debian7armellibcurl3< 7.26.0-1+wheezy15libcurl3_7.26.0-1+wheezy15_armel.deb
Debian7allcurl< 7.26.0-1+wheezy15curl_7.26.0-1+wheezy15_all.deb
Debian7amd64libcurl3< 7.26.0-1+wheezy15libcurl3_7.26.0-1+wheezy15_amd64.deb
Debian8armhflibcurl4-gnutls-dev< 7.38.0-4+deb8u13libcurl4-gnutls-dev_7.38.0-4+deb8u13_armhf.deb
Debian8allcurl< 7.38.0-4+deb8u13curl_7.38.0-4+deb8u13_all.deb
Debian7armhflibcurl4-openssl-dev< 7.26.0-1+wheezy15libcurl4-openssl-dev_7.26.0-1+wheezy15_armhf.deb
Debian7amd64libcurl4-openssl-dev< 7.26.0-1+wheezy15libcurl4-openssl-dev_7.26.0-1+wheezy15_amd64.deb
Debian7amd64curl< 7.26.0-1+wheezy15curl_7.26.0-1+wheezy15_amd64.deb
Debian8amd64libcurl4-nss-dev< 7.38.0-4+deb8u13libcurl4-nss-dev_7.38.0-4+deb8u13_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	i386	libcurl3-gnutls	< 7.38.0-4+deb8u13	libcurl3-gnutls_7.38.0-4+deb8u13_i386.deb
Debian	7	armel	libcurl3	< 7.26.0-1+wheezy15	libcurl3_7.26.0-1+wheezy15_armel.deb
Debian	7	all	curl	< 7.26.0-1+wheezy15	curl_7.26.0-1+wheezy15_all.deb
Debian	7	amd64	libcurl3	< 7.26.0-1+wheezy15	libcurl3_7.26.0-1+wheezy15_amd64.deb
Debian	8	armhf	libcurl4-gnutls-dev	< 7.38.0-4+deb8u13	libcurl4-gnutls-dev_7.38.0-4+deb8u13_armhf.deb
Debian	8	all	curl	< 7.38.0-4+deb8u13	curl_7.38.0-4+deb8u13_all.deb
Debian	7	armhf	libcurl4-openssl-dev	< 7.26.0-1+wheezy15	libcurl4-openssl-dev_7.26.0-1+wheezy15_armhf.deb
Debian	7	amd64	libcurl4-openssl-dev	< 7.26.0-1+wheezy15	libcurl4-openssl-dev_7.26.0-1+wheezy15_amd64.deb
Debian	7	amd64	curl	< 7.26.0-1+wheezy15	curl_7.26.0-1+wheezy15_amd64.deb
Debian	8	amd64	libcurl4-nss-dev	< 7.38.0-4+deb8u13	libcurl4-nss-dev_7.38.0-4+deb8u13_amd64.deb