Bugzilla – Bug 1219149
VUL-0: CVE-2024-0853: curl: OCSP verification bypass with TLS session reuse
Last modified: 2024-04-15 15:09:57 UTC
via distros CRD: 2024-01-31 OCSP verification bypass with TLS session reuse =============================================== Project curl Security Advisory, January 31 2024 - [Permalink](https://curl.se/docs/CVE-2024-0853.html) VULNERABILITY ------------- curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check. INFO ---- This issue is limited to curl built to use OpenSSL and when using TLS 1.2 only and not TLS 1.3. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-0853 to this issue. CWE-299: Improper Check for Certificate Revocation Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 8.5.0 to and including 8.5.0 - Not affected versions: curl < 8.5.0 and >= 8.5.0 - Introduced-in: https://github.com/curl/curl/commit/395365ad2d9a6c3f1a35d libcurl is used by many applications, but not always advertised as such! This flaw is also accessible using the curl command line tool. SOLUTION ------------ If verify status fails, make sure the session id is not cached. - Fixed-in: https://github.com/curl/curl/commit/c28e9478cb2548848ec RECOMMENDATIONS -------------- A - Upgrade curl to version 8.6.0 B - Apply the patch to your local version C - Do not use curl built to use OpenSSL D - Do not allow TLS 1.2 for your transfers TIMELINE -------- This issue was reported to the curl project on December 29, 2023. We contacted distros@openwall on January 24, 2024. curl 8.6.0 was released on January 31 2024 around 07:00 UTC, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Hiroki Kurosawa - Patched-by: Daniel Stenberg Thanks a lot!
Only curl 8.5.0 is affected, so no SLE version is affected.
https://curl.se/docs/CVE-2024-0853.html OCSP verification bypass with TLS session reuse =============================================== Project curl Security Advisory, January 31 2024 - [Permalink](https://curl.se/docs/CVE-2024-0853.html) VULNERABILITY ------------- curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check. INFO ---- This issue is limited to curl built to use OpenSSL and when using TLS 1.2 only and not TLS 1.3. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2024-0853 to this issue. CWE-299: Improper Check for Certificate Revocation Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 8.5.0 to and including 8.5.0 - Not affected versions: curl < 8.5.0 and >= 8.6.0 - Introduced-in: https://github.com/curl/curl/commit/395365ad2d9a6c3f1a35d libcurl is used by many applications, but not always advertised as such! This flaw is also accessible using the curl command line tool. SOLUTION ------------ If verify status fails, make sure the session id is not cached. - Fixed-in: https://github.com/curl/curl/commit/c28e9478cb2548848ec RECOMMENDATIONS -------------- A - Upgrade curl to version 8.6.0 B - Apply the patch to your local version C - Do not use curl built to use OpenSSL D - Do not allow TLS 1.2 for your transfers TIMELINE -------- This issue was reported to the curl project on December 29, 2023. We contacted distros@openwall on January 24, 2024. curl 8.6.0 was released on January 31 2024 around 07:00 UTC, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Hiroki Kurosawa - Patched-by: Daniel Stenberg Thanks a lot! -- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html
All submitted: * ALP: https://build.suse.de/request/show/319964 * Factory: https://build.opensuse.org/request/show/1142991 Assigning back to security-team.
released