CVE-2016-5419

Published: August 31, 2023Last modified: September 22, 2025

Description

curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.

Severity score breakdown

Status

References

• http://lists.opensuse.org/opensuse-updates/2016-09/msg00011.html
• http://lists.opensuse.org/opensuse-updates/2016-09/msg00094.html
• http://rhn.redhat.com/errata/RHSA-2016-2575.html
• http://rhn.redhat.com/errata/RHSA-2016-2957.html
• http://www.debian.org/security/2016/dsa-3638
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• http://www.securityfocus.com/bid/92292
• http://www.securityfocus.com/bid/92319
• http://www.securitytracker.com/id/1036538
• http://www.securitytracker.com/id/1038341
• http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.563059
• http://www.ubuntu.com/usn/USN-3048-1
• https://access.redhat.com/errata/RHSA-2018:3558
• https://curl.haxx.se/docs/adv_20160803A.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GLPXQQKURBQFM4XM6645VRPTOE2AWG33/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3GQH4V3XAQ5Z53AMQRDEC3C3UHTW7QR/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/GLPXQQKURBQFM4XM6645VRPTOE2AWG33/
• https://lists.fedoraproject.org/archives/list/[email protected]/message/K3GQH4V3XAQ5Z53AMQRDEC3C3UHTW7QR/
• https://security.gentoo.org/glsa/201701-47
• https://source.android.com/security/bulletin/2016-12-01.html
• https://www.tenable.com/security/tns-2016-18