Vulnerability CVE-2017-2629: Information

Description

curl before 7.53.0 has an incorrect TLS Certificate Status Request extension feature that asks for a fresh proof of the server's certificate's validity in the code that checks for a test success or failure. It ends up always thinking there's valid proof, even when there is none or if the server doesn't support the TLS extension in question. This could lead to users not detecting when a server's certificate goes invalid or otherwise be mislead that the server is in a better shape than it is in reality. This flaw also exists in the command line tool (--cert-status).

Severity: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2017-2629
Published: July 27, 2018
Modified: Oct. 10, 2019
Error type identifier: CWE-295

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
curlsisyphus7.53.0-alt1.S18.7.1-alt2ALT-PU-2017-1197-1178480Fixed
curlp107.53.0-alt1.S18.7.1-alt2ALT-PU-2017-1197-1178480Fixed
curlp97.53.0-alt1.S17.79.0-alt2ALT-PU-2017-1197-1178480Fixed
curlp87.53.0-alt1.M80P.17.65.0-alt1ALT-PU-2017-1200-1178485Fixed
curlc10f17.53.0-alt1.S18.6.0-alt1ALT-PU-2017-1197-1178480Fixed
curlc9f27.53.0-alt1.S18.6.0-alt1ALT-PU-2017-1197-1178480Fixed
curlc77.56.1-alt1.M70C.1.17.56.1-alt1.M70C.1.1ALT-PU-2018-1442-1202075Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://curl.haxx.se/docs/adv_20170222.html
  • Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2629
  • Issue Tracking
  • Patch
  • Third Party Advisory
https://www.tenable.com/security/tns-2017-09
  • Third Party Advisory
GLSA-201703-04
  • Third Party Advisory
1037871
  • Third Party Advisory
  • VDB Entry
96382
  • Third Party Advisory
  • VDB Entry

    1. Configuration 1

      cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
      End excliding
      7.53.0
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.1
Back to top