CVE-2016-5419

Published: August 31, 2023Last modified: December 15, 2025

Description

curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.

Severity score breakdown

Status

References

• http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html
• http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html
• http://rhn.redhat.com/errata/RHSA-2016-2575.html
• http://rhn.redhat.com/errata/RHSA-2016-2957.html
• http://www.debian.org/security/2016/dsa-3638
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• http://www.securityfocus.com/bid/92292
• http://www.securityfocus.com/bid/92319
• http://www.securitytracker.com/id/1036538
• http://www.securitytracker.com/id/1038341
• http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.563059
• http://www.ubuntu.com/usn/USN-3048-1
• https://access.redhat.com/errata/RHSA-2018:3558
• https://curl.haxx.se/docs/adv_20160803A.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLPXQQKURBQFM4XM6645VRPTOE2AWG33/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3GQH4V3XAQ5Z53AMQRDEC3C3UHTW7QR/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/GLPXQQKURBQFM4XM6645VRPTOE2AWG33/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/K3GQH4V3XAQ5Z53AMQRDEC3C3UHTW7QR/
• https://security.gentoo.org/glsa/201701-47
• https://source.android.com/security/bulletin/2016-12-01.html
• https://www.tenable.com/security/tns-2016-18