[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 0/1] curl: Fix CVE-2016-3739.
|
From: |
Leo Famulari |
|
Subject: |
[PATCH 0/1] curl: Fix CVE-2016-3739. |
|
Date: |
Sat, 11 Jun 2016 23:38:29 -0400 |
If your SSL / TLS provider is mbedTLS (formerly PolarSSL), there is a
bug in curl [CVE-2016-3739] that allows an attacker to bypass the full
certificate check by presenting any valid certificate.
So, you might think are connecting to https://example.com, when in fact
the attacker has a certificate for any other domain.
We don't package mbedTLS, but I still think we should provide the fixed
source code.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3739
https://curl.haxx.se/docs/adv_20160518.html
Leo Famulari (1):
gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739].
gnu/packages/curl.scm | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--
2.8.4
- [PATCH 0/1] curl: Fix CVE-2016-3739.,
Leo Famulari <=
- [PATCH 1/1] gnu: curl: Replace with 7.49.1 [fixes CVE-2016-3739]., Leo Famulari, 2016/06/11
- Re: [PATCH 0/1] curl: Fix CVE-2016-3739., Ludovic Courtès, 2016/06/12
- Re: [PATCH 0/1] curl: Fix CVE-2016-3739., ng0, 2016/06/12
- Re: [PATCH 0/1] curl: Fix CVE-2016-3739., Leo Famulari, 2016/06/12
- Re: [PATCH 0/1] curl: Fix CVE-2016-3739., Ludovic Courtès, 2016/06/13
- Re: [PATCH 0/1] curl: Fix CVE-2016-3739., ng0, 2016/06/13
- Re: [PATCH 0/1] curl: Fix CVE-2016-3739., Leo Famulari, 2016/06/13
- Re: [PATCH 0/1] curl: Fix CVE-2016-3739., ng0, 2016/06/13
- Re: [PATCH 0/1] curl: Fix CVE-2016-3739., Leo Famulari, 2016/06/13