curl-7.29.0-35.el7

エラータID: AXSA:2016-1132:01

Release date: 
Wednesday, November 30, 2016 - 13:17
Subject: 
curl-7.29.0-35.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

curl is a command line tool for transferring data with URL syntax, supporting
FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMAP,
SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP
uploading, HTTP form based upload, proxies, cookies, user password
authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer
resume, proxy tunneling and a busload of other useful tricks.

Security issues fixed with this release:

CVE-2016-5419
curl and libcurl before 7.50.1 do not prevent TLS session resumption
when the client certificate has changed, which allows remote attackers
to bypass intended restrictions by resuming a session.
CVE-2016-5420
curl and libcurl before 7.50.1 do not check the client certificate
when choosing the TLS connection to reuse, which might allow remote
attackers to hijack the authentication of the connection by leveraging
a previously created connection with a different client certificate.
CVE-2016-7141
curl and libcurl before 7.50.2, when built with NSS and the
libnsspem.so library is available at runtime, allow remote attackers
to hijack the authentication of a TLS connection by leveraging reuse
of a previously loaded client certificate from file for a connection
for which no certificate has been set, a different vulnerability than
CVE-2016-5420.

Additional Changes:

Solution: 

Update packages.

CVEs: 
CVE-2016-5419
curl and libcurl before 7.50.1 do not prevent TLS session resumption when the client certificate has changed, which allows remote attackers to bypass intended restrictions by resuming a session.
CVE-2016-5420
curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.
CVE-2016-5420.
curl and libcurl before 7.50.1 do not check the client certificate when choosing the TLS connection to reuse, which might allow remote attackers to hijack the authentication of the connection by leveraging a previously created connection with a different client certificate.
CVE-2016-7141
curl and libcurl before 7.50.2, when built with NSS and the libnsspem.so library is available at runtime, allow remote attackers to hijack the authentication of a TLS connection by leveraging reuse of a previously loaded client certificate from file for a connection for which no certificate has been set, a different vulnerability than CVE-2016-5420.
Additional Info: 

N/A

Download: 

SRPMS
  1. curl-7.29.0-35.el7.src.rpm
    MD5: c1312c7521f3d3cd2b66938fceb410d2
    SHA-256: 02a6f68065c5cafcadf7636acfdb7cd0ed15cbecc8cd4ce146e50e0a0266353b
    Size: 2.18 MB

Asianux Server 7 for x86_64
  1. curl-7.29.0-35.el7.x86_64.rpm
    MD5: 164c6b35c700a64d054ff4e348c895ff
    SHA-256: 5c1b2da933b50d72114f39890006c0de99a650216880f939f8265cbf08569e00
    Size: 264.49 kB
  2. libcurl-7.29.0-35.el7.x86_64.rpm
    MD5: 9c2ff1f9c663329fc935342e1dc2c5ef
    SHA-256: 98f64ef269b4f54301feda1ccc778ccaa9bc7f12b2872ee7706523c66bac6abf
    Size: 217.02 kB
  3. libcurl-devel-7.29.0-35.el7.x86_64.rpm
    MD5: 71f5341786ae528c419dc1042deba969
    SHA-256: 08a8751c70d5ccf9ecd791264169013f23bdfcd0bf60a5963424d31a88bd6bf3
    Size: 297.69 kB
  4. libcurl-7.29.0-35.el7.i686.rpm
    MD5: cc0608deddf893786285316405cea6b7
    SHA-256: b351285c0ee24c25339664f678f0c374bce3fc0f5cfaccc205d120de4a3f8be0
    Size: 219.70 kB
  5. libcurl-devel-7.29.0-35.el7.i686.rpm
    MD5: c3e1e01ef64996e4ac78c934a9d01c16
    SHA-256: 99788bb687dca7cb036725a0e38d15b62c3af978df93fe4f61573315e2628e86
    Size: 297.75 kB