diff options
author | Yasuhiro Kimura <yasu@FreeBSD.org> | 2024-02-08 07:45:33 +0000 |
---|---|---|
committer | Yasuhiro Kimura <yasu@FreeBSD.org> | 2024-02-28 00:50:29 +0000 |
commit | 16f370e33f0cdd303de5a28f598d67b40091e307 (patch) | |
tree | 97a4f51e7db79aa850334278e0c5da5c7dfb7b42 | |
parent | ea79bcadf65c06d69959d8d6c21c28d11b4b3ac8 (diff) | |
download | ports-16f370e33f0cdd303de5a28f598d67b40091e307.tar.gz ports-16f370e33f0cdd303de5a28f598d67b40091e307.zip |
security/vuxml: Document OCSP verification bypass vulnerability in curl
PR: 276879
-rw-r--r-- | security/vuxml/vuln/2024.xml | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml index 58b2218ecd4e..d425738ea7e7 100644 --- a/security/vuxml/vuln/2024.xml +++ b/security/vuxml/vuln/2024.xml @@ -1,3 +1,35 @@ + <vuln vid="02e33cd1-c655-11ee-8613-08002784c58d"> + <topic>curl -- OCSP verification bypass with TLS session reuse</topic> + <affects> + <package> + <name>curl</name> + <range><lt>8.6.0</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Hiroki Kurosawa reports:</p> + <blockquote cite="https://curl.se/docs/CVE-2024-0853.html"> + <p> + curl inadvertently kept the SSL session ID for connections + in its cache even when the verify status (OCSP stapling) + test failed. A subsequent transfer to the same hostname + could then succeed if the session ID cache was still + fresh, which then skipped the verify status check. + </p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2024-0853</cvename> + <url>https://curl.se/docs/CVE-2024-0853.html</url> + </references> + <dates> + <discovery>2024-01-31</discovery> + <entry>2024-02-28</entry> + </dates> + </vuln> + <vuln vid="5ecfb588-d2f4-11ee-ad82-dbdfaa8acfc2"> <topic>gitea -- Fix XSS vulnerabilities</topic> <affects> |